View Full Version : Can't get valid Google Search results
cool2024
2010-08-10, 09:24
Let me first say, you guys are great for helping us out. Thanks in advance for everything. Onto the issue ...
I stupidly went onto a site that is known for infecting computers and got infected with malware.
My McAfee AV detected that something was wrong and immediately rebooted my computer.
After reboot, I did a scan using McAfee and found 4 files in my Local Settings / Temporary Internet Files and Local Settings / Temp folder. I immediately delete the contents of the 2 folders.
Then I updated Spybot S&D and did a scan and it found a couple of items and removed them.
After that I rebooted again and whenever I go to google.com and do a search using Firefox, the malware returns some weird Google search results that aren't very useful.
Here is my DDS log, and thanks again.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 0:13:51.75 on Tue 08/10/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.368 [GMT -7:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Prolific\One Button\OneBtn.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Chris\My Documents\Downloads\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Lock Computer on Starup] rundll32.exe user32.dll, LockWorkStation
uRun: [Google Update] "c:\documents and settings\chris\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Prolific_OneButton] c:\program files\prolific\one button\OneBtn.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: En&queue current page with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open &link target with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with Bulk I&mage Downloader - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\uexsl.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\iqkv9dh5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/#General
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-9-16 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-9-16 5248]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-4-3 10112]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 214664]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2004-4-4 151476]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-5 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-3-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-3-5 144704]
R2 TCPIP Pass-through Filter;TCPIP Pass-through Filter;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-3-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-3-5 40552]
R3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [2004-4-4 18272]
R3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [2004-4-4 21184]
S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-5 34248]
S3 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-6-28 241731]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-4 223128]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-8 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
=============== Created Last 30 ================
2010-08-09 21:18:53 8192 ----a-w- c:\windows\system32\uexsl.dll
2010-08-09 21:18:53 8192 ----a-w- c:\windows\system32\qxdqei.dll
2010-08-09 21:18:53 19456 ----a-w- c:\windows\system32\msippsth.dll
2010-08-09 21:18:15 0 d-----w- c:\docume~1\chris\applic~1\B4EDEAF43A12AE939F3D7AD57EDBA29E
==================== Find3M ====================
2010-07-15 22:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-26 07:24:48 99756 ----a-w- c:\windows\War3Unin.dat
2004-10-11 00:49:20 457 ----a-w- c:\program files\INSTALL.LOG
============= FINISH: 0:15:27.17 ===============
Hello and :welcome: to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
Azureus
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply
Thanks peku006
cool2024
2010-08-10, 23:13
Unfortunately my machine will no longer boot windows normally and is in an infinite loop of "We apologize for the inconvenience, but windows did not start normally" message -> Start Windows Normally -> Windows logo appears -> machine suddenly reboots -> "We apologize for the inconvenience, but windows did not start normally" message etc.
Steps taken:
I've uninstalled Azureus
Then I went ahead and downloaded Combofix
Then I disabled my McAfee, but i mistakenly disabled it until next reboot :oops:
Ran Combofix
ComboFix reboots machine
I get the "Machine has no Windows Recovery Console installed" message
I find out McAfee is still running and disable it
I click yes to install the "Windows Recovery Console"
ComboFix successfully installs Windows Recovery Console
ComboFix then displays the message:
Rootkit found
service: tcpip
c:\windows\system32\drivers\tcpip.sys
Restart required
Infinite restart loop
I'm thinking I would probably need a non-usb keyboard since it won't let me use the arrow keys to pick reboot in Safe Mode.
I don't know quite how to proceed. Thanks in advance.
Hi cool2024
I'm thinking I would probably need a non-usb keyboard since it won't let me use the arrow keys to pick reboot in Safe Mode
Will this (Windows XP Advanced Options menu. ) sight after you've pressed the f8 key
http://www.theeldergeek.com/images/Repairing%20Windows%20XP/pic1A.gif
cool2024
2010-08-11, 22:18
Ok I got a hold of a ps/2 keyboard and am able to boot into safe mode. ComboFix is automatically running as i type. I will post the ComboFix log as soon as its done. Thanks again.
cool2024
2010-08-11, 22:48
ComboFix has finished and has displayed a log file for me to save. Hooray!
Unfortunately my Internet connection is now broken. I looked at the ComboFix tutorial and found how to repair the connection but it still doesn't work.
When I goto Start -> Control Panel -> Network Connections -> Right Click Local Area Connection -> Click repair, there is an error message saying "Windows could not finish repairing the problem because the following action cannot be completed: Clearing the DNS cache".
Any ideas on how I can clear the cache?
I can post the ComboFix log later on tonight US West Coast time.
Thanks so much for you help Peku :bigthumb:
Hi cool2024
Let`s try this.........
Click Start> Run> type in CMD tap enter key
Copy/Paste: ipconfig /flushdns
(If you are typing this in, note the space between the g /f
It needs to be there.)
After that, Reboot.
How is your Internet Connection now ?
cool2024
2010-08-12, 17:06
Ok, I went to Start -> Run -> typed cmd -> pressed Enter -> typed ipconfig /flushdns and the screen says that: "Windows IP Configuration Could not flush the DNS Resolver Cache: Function failed during execution."
Then I restarted the computer -> ran Firefox -> tried to go to google.com but Firefox says "Unable to connect".
What else can I do? Thanks again.
cool2024
2010-08-12, 17:11
Here's the ComboFix log you asked for. Thanks again Peku
ComboFix 10-08-10.03 - Chris 08/11/2010 13:16:53.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.785 [GMT -7:00]
Running from: c:\documents and settings\Chris\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\windows\daemon.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\msippsth.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Legacy_WKSPATCH
-------\Legacy_ZESOFT
-------\Service_6to4
-------\Service_TCPIP Pass-through Filter
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.
2010-08-10 20:22 . 2004-08-04 06:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 06:59 . 2010-08-10 06:59 -------- d-----w- c:\program files\ERUNT
2010-08-09 21:18 . 2010-08-09 21:18 8192 ----a-w- c:\windows\system32\uexsl.dll
2010-08-09 21:18 . 2010-08-09 21:18 8192 ----a-w- c:\windows\system32\qxdqei.dll
2010-08-09 21:18 . 2010-08-09 21:18 -------- d-----w- c:\documents and settings\Chris\Application Data\B4EDEAF43A12AE939F3D7AD57EDBA29E
2010-07-15 20:41 . 2010-07-15 20:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 20:00 . 2004-04-08 08:44 -------- d-----w- c:\program files\Azureus
2010-08-10 00:53 . 2008-08-12 07:16 -------- d-----w- c:\program files\Whale Communications
2010-08-09 21:19 . 2010-08-09 21:18 1051136 ----a-w- c:\documents and settings\Chris\Application Data\B4EDEAF43A12AE939F3D7AD57EDBA29E\secureapp70700.exe
2010-08-05 07:09 . 2010-03-05 21:15 -------- d-----w- c:\program files\McAfee
2010-07-15 22:18 . 2010-03-05 21:16 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-06 15:39 . 2010-07-06 15:39 300384 ----a-w- c:\documents and settings\Chris\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-07-06 15:39 . 2010-07-06 15:39 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll
2010-07-06 15:38 . 2010-07-06 15:38 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2010-07-06 15:38 . 2010-03-05 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-06 13:04 . 2005-12-29 08:45 -------- d-----w- c:\documents and settings\Chris\Application Data\tunebite
2010-07-02 10:16 . 2007-07-11 01:13 -------- d-----w- c:\program files\Warcraft III
2010-06-26 07:24 . 2008-02-09 12:30 99756 ----a-w- c:\windows\War3Unin.dat
2010-06-02 06:30 . 2010-06-02 06:30 503808 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1117daa9-n\msvcp71.dll
2010-06-02 06:30 . 2010-06-02 06:30 499712 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1117daa9-n\jmc.dll
2010-06-02 06:30 . 2010-06-02 06:30 348160 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1117daa9-n\msvcr71.dll
2005-09-16 01:26 . 2004-10-10 02:00 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2007-06-22 01:38 . 2007-06-22 01:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 . 2007-06-22 01:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 . 2007-06-22 01:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 . 2007-06-22 01:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 . 2007-06-22 01:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 . 2007-06-22 01:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 . 2007-06-22 01:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 . 2007-06-22 01:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 . 2007-06-22 01:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lock Computer on Starup"="user32.dll" [2004-08-04 577024]
"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-10 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-07-23 56832]
"Prolific_OneButton"="c:\program files\Prolific\One Button\OneBtn.exe" [2004-06-09 49152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Chris\My Documents\Shared\Mvs\s.html
FriendlyName=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 23:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-06 00:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 21:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [9/16/2005 12:21 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [9/16/2005 12:21 AM 5248]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [4/3/2004 11:13 AM 10112]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [4/4/2004 1:17 AM 151476]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/5/2010 2:20 PM 93320]
R3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [4/4/2004 1:01 AM 18272]
R3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [4/4/2004 1:01 AM 21184]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2010 12:16 AM 135664]
S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [6/28/2005 2:07 PM 241731]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [3/4/2006 7:25 PM 223128]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/8/2008 11:55 AM 24652]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/4/2006 7:21 PM 642560]
.
Contents of the 'Scheduled Tasks' folder
2010-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1409082233-839522115-1003Core.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 05:22]
2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1409082233-839522115-1003UA.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 05:22]
2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-05 20:22]
2010-03-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-05 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: En&queue current page with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open &link target with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidlink.htm
IE: Open current page with Bulk I&mage Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebid.htm
LSP: c:\windows\system32\uexsl.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\iqkv9dh5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/#General
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
MSConfigStartUp-AtiTrayTools - c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-POEngine - c:\program files\PokerOffice\POEngine.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-ymetray - c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe
AddRemove-Active Ports - c:\windows\unvise32.exe
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe
AddRemove-NVIDIA nForce Drivers - c:\windows\System32\NVUninst.exe
AddRemove-XPv3.8.252 - c:\windows\Radeon Omega Drivers v3.8.252
AddRemove-Serv-U - c:\progra~1\Serv-U\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 13:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860E6EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e6fc3
\Driver\ACPI -> ACPI.sys @ 0xf7513cb8
\Driver\atapi -> atapi.sys @ 0xf74a57b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf739aba0
PacketIndicateHandler -> NDIS.sys @ 0xf7389a0b
SendHandler -> NDIS.sys @ 0xf739db31
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{057AFF8E-18BB-3F80-364CCC2831522BE6}\{99AD5AFA-2676-F639-545B2C570527D246}\{9515C81F-50C9-6ACD-17AF77618A15A8EB}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0b1882f7-fa07-4f2b-9fdf-9c60a5a55847}]
@Denied: (Full) (Everyone)
"Model"=dword:000000fd
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):24,66,61,b0,0b,ed,9a,18,e0,09,da,bf,f1,6a,f3,5b,e2,0a,03,1d,15,
d6,fb,6e,74,2d,e7,4e,33,1e,71,3f,45,37,e7,9d,fa,64,86,51,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2012)
c:\program files\TortoiseCVS\TrtseShl.dll
c:\windows\system32\uexsl.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
.
**************************************************************************
.
Completion time: 2010-08-11 13:34:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-11 20:34
ComboFix2.txt 2007-11-06 09:12
Pre-Run: 7,686,260,736 bytes free
Post-Run: 11,105,719,296 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - C07D089E5DF9E378E9235ECFD2B245C5
Hi
What else can I do?
Open Services...
Click Start-->Run, then type or copy and paste services.msc
Click OK or press the "enter" key. Next, please scroll down to and double click DNS Client ...Make sure startup type is set to "Automatic". Click "Apply" and "OK" your way out, then close Services . Reboot the computer to properly record those changes to the hard disk. When the system comes back up, try flushing the dns resolver cache again.
-------------------------------------------------------------------------------------------
Check files for Viruses
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
c:\windows\system32\uexsl.dll
c:\windows\system32\qxdqei.dll
Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Repeat for all files on the list, and post me the details please
Please reply with
the Jotti/Virustotal results
description of any problems you are having with your PC
Thanks peku006
cool2024
2010-08-14, 04:07
I did what you asked, went to Services.msc -> DNS Client -> changed startup type to "Automatic" -> clicked "Apply" and "OK" -> closed Services -> rebooted the computer -> went to cmd -> typed ipconfig /flushdns -> ran firefox -> still can't connect to internet.
I did manage to upload the 2 dlls to virustotal.com. Results are below:
uexsl.dll
Antivirus Version Last Update Result
AhnLab-V3 2010.08.14.00 2010.08.13 -
AntiVir 8.2.4.34 2010.08.13 -
Antiy-AVL 2.0.3.7 2010.08.11 -
Authentium 5.2.0.5 2010.08.13 -
Avast 4.8.1351.0 2010.08.13 -
Avast5 5.0.332.0 2010.08.13 -
AVG 9.0.0.851 2010.08.13 -
BitDefender 7.2 2010.08.14 -
CAT-QuickHeal 11.00 2010.08.13 -
ClamAV 0.96.0.3-git 2010.08.14 -
Comodo 5731 2010.08.14 ApplicUnsaf.Win32.Brih.a
DrWeb 5.0.2.03300 2010.08.14 Trojan.Click1.25301
Emsisoft 5.0.0.37 2010.08.14 -
eSafe 7.0.17.0 2010.08.12 -
eTrust-Vet 36.1.7790 2010.08.13 -
F-Prot 4.6.1.107 2010.08.13 -
F-Secure 9.0.15370.0 2010.08.14 -
Fortinet 4.1.143.0 2010.08.13 W32/Agent.OFJ!tr
GData 21 2010.08.14 -
Ikarus T3.1.1.88.0 2010.08.13 -
Jiangmin 13.0.900 2010.08.13 -
Kaspersky 7.0.0.125 2010.08.14 -
McAfee 5.400.0.1158 2010.08.14 Artemis!B3EFB184D576
McAfee-GW-Edition 2010.1 2010.08.14 Artemis!B3EFB184D576
Microsoft 1.6004 2010.08.13 -
NOD32 5365 2010.08.13 Win32/Agent.RNB
Norman 6.05.11 2010.08.13 -
nProtect 2010-08-13.01 2010.08.13 -
Panda 10.0.2.7 2010.08.13 -
PCTools 7.0.3.5 2010.08.14 -
Prevx 3.0 2010.08.14 High Risk Cloaked Malware
Rising 22.60.04.04 2010.08.13 -
Sophos 4.56.0 2010.08.14 Troj/Agent-OFJ
Sunbelt 6731 2010.08.14 Trojan.Win32.Browser-Winsock.Hijacker
SUPERAntiSpyware 4.40.0.1006 2010.08.13 -
Symantec 20101.1.1.7 2010.08.14 -
TheHacker 6.5.2.1.347 2010.08.14 -
TrendMicro 9.120.0.1004 2010.08.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.14 -
VBA32 3.12.14.0 2010.08.13 -
ViRobot 2010.8.9.3978 2010.08.13 -
VirusBuster 5.0.27.0 2010.08.13 -
MD5 : b3efb184d5762dabce4c0ac7b6e188bf
SHA1 : e6dc04c8c5a4965e093b9a96c219b998bb86e9b1
SHA256: 7d40af468b30ae2426063d3590ba215e8d10d3a12095fb5af9ba3dd884c5787a
ssdeep: 192:/wjHWy8YkntA5huI/2NLEFYjf+8AFup3e:4L7/kGXuI/aL5pu
File size : 8192 bytes
First seen: 2010-07-23 15:18:23
Last seen : 2010-08-14 01:34:43
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x1410
timedatestamp....: 0x4C46F543 (Wed Jul 21 13:25:23 2010)
machinetype......: 0x14c (I386)
[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x12B2, 0x1400, 6.07, cb94cf75c209beb01a273ed5c7516c86
.rdata, 0x3000, 0x2FD, 0x400, 3.88, 0b75dd81c6aa12ea35fb354c4887ef81
.data, 0x4000, 0x78, 0x200, 0.31, f0f4f53dfd61aa2546d9fbcee5627038
.reloc, 0x5000, 0x130, 0x200, 2.93, a77c08f6b71b7d67beede025f13d8027
[[ 2 import(s) ]]
WS2_32.dll: WSCEnumProtocols, getnameinfo, -, -, WSCGetProviderPath
KERNEL32.dll: LoadLibraryW, ExpandEnvironmentStringsA, LoadLibraryA, LeaveCriticalSection, EnterCriticalSection, FindAtomA, DeleteCriticalSection, FreeLibrary, InitializeCriticalSection, WideCharToMultiByte, HeapAlloc, ExpandEnvironmentStringsW, HeapFree, GetProcAddress, GetLastError, HeapCreate
[[ 2 export(s) ]]
GetLspGuid, WSPStartup
qxdqei.dll
Antivirus Version Last Update Result
AhnLab-V3 2010.08.14.00 2010.08.13 -
AntiVir 8.2.4.34 2010.08.13 -
Antiy-AVL 2.0.3.7 2010.08.11 -
Authentium 5.2.0.5 2010.08.13 -
Avast 4.8.1351.0 2010.08.13 -
Avast5 5.0.332.0 2010.08.13 -
AVG 9.0.0.851 2010.08.13 -
BitDefender 7.2 2010.08.14 -
CAT-QuickHeal 11.00 2010.08.13 -
ClamAV 0.96.0.3-git 2010.08.14 -
Comodo 5731 2010.08.14 ApplicUnsaf.Win32.Brih.a
DrWeb 5.0.2.03300 2010.08.14 Trojan.Click1.25301
Emsisoft 5.0.0.37 2010.08.14 -
eSafe 7.0.17.0 2010.08.12 -
eTrust-Vet 36.1.7790 2010.08.13 -
F-Prot 4.6.1.107 2010.08.13 -
F-Secure 9.0.15370.0 2010.08.14 -
Fortinet 4.1.143.0 2010.08.13 W32/Agent.OFJ!tr
GData 21 2010.08.14 -
Ikarus T3.1.1.88.0 2010.08.13 -
Jiangmin 13.0.900 2010.08.13 -
Kaspersky 7.0.0.125 2010.08.14 -
McAfee 5.400.0.1158 2010.08.14 Artemis!B3EFB184D576
McAfee-GW-Edition 2010.1 2010.08.14 Artemis!B3EFB184D576
Microsoft 1.6004 2010.08.13 -
NOD32 5365 2010.08.13 Win32/Agent.RNB
Norman 6.05.11 2010.08.13 -
nProtect 2010-08-13.01 2010.08.13 -
Panda 10.0.2.7 2010.08.13 -
PCTools 7.0.3.5 2010.08.14 -
Prevx 3.0 2010.08.14 High Risk Cloaked Malware
Rising 22.60.04.04 2010.08.13 -
Sophos 4.56.0 2010.08.14 Troj/Agent-OFJ
Sunbelt 6731 2010.08.14 Trojan.Win32.Browser-Winsock.Hijacker
SUPERAntiSpyware 4.40.0.1006 2010.08.13 -
Symantec 20101.1.1.7 2010.08.14 -
TheHacker 6.5.2.1.347 2010.08.14 -
TrendMicro 9.120.0.1004 2010.08.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.14 -
VBA32 3.12.14.0 2010.08.13 -
ViRobot 2010.8.9.3978 2010.08.13 -
VirusBuster 5.0.27.0 2010.08.13 -
MD5 : b3efb184d5762dabce4c0ac7b6e188bf
SHA1 : e6dc04c8c5a4965e093b9a96c219b998bb86e9b1
SHA256: 7d40af468b30ae2426063d3590ba215e8d10d3a12095fb5af9ba3dd884c5787a
ssdeep: 192:/wjHWy8YkntA5huI/2NLEFYjf+8AFup3e:4L7/kGXuI/aL5pu
File size : 8192 bytes
First seen: 2010-07-23 15:18:23
Last seen : 2010-08-14 01:45:30
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x1410
timedatestamp....: 0x4C46F543 (Wed Jul 21 13:25:23 2010)
machinetype......: 0x14c (I386)
[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x12B2, 0x1400, 6.07, cb94cf75c209beb01a273ed5c7516c86
.rdata, 0x3000, 0x2FD, 0x400, 3.88, 0b75dd81c6aa12ea35fb354c4887ef81
.data, 0x4000, 0x78, 0x200, 0.31, f0f4f53dfd61aa2546d9fbcee5627038
.reloc, 0x5000, 0x130, 0x200, 2.93, a77c08f6b71b7d67beede025f13d8027
[[ 2 import(s) ]]
WS2_32.dll: WSCEnumProtocols, getnameinfo, -, -, WSCGetProviderPath
KERNEL32.dll: LoadLibraryW, ExpandEnvironmentStringsA, LoadLibraryA, LeaveCriticalSection, EnterCriticalSection, FindAtomA, DeleteCriticalSection, FreeLibrary, InitializeCriticalSection, WideCharToMultiByte, HeapAlloc, ExpandEnvironmentStringsW, HeapFree, GetProcAddress, GetLastError, HeapCreate
[[ 2 export(s) ]]
GetLspGuid, WSPStartup
cool2024
2010-08-14, 04:15
Is it a good idea to run these set of commands to get my internet working again?
ipconfig /release
ipconfig /flushdns
ipconfig /registerdns
ipconfig /renew
netsh winsock reset catalog
netsh int ip reset reset.log
netsh winsock reset
:thanks: again Peku
Hi cool2024
Is it a good idea to run these set of commands to get my internet working again?
not yet.............
Please download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the I know what I'm doing Button and place all listings of uexsl.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button. Then Reboot.
To see a tutorial on how to use this program click the link below:
Using LSP-Fix to remove LSP Spyware & Hijackers (http://www.bleepingcomputer.com/forums/index.php?showtutorial=59)
Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Files
c:\windows\system32\uexsl.dll
c:\windows\system32\qxdqei.dll
:Commands
[emptytemp]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Thanks peku006
cool2024
2010-08-15, 20:08
Hmm LSPFix doesn't have uexsl.dll in the Keep box and in the Remove box.
In the Keep box it lists: mswsock.dll tcpip, winrnr.dll ntds
In the Remove box it lists: rsvpsp.dll (Protocol Handler)
I have not clicked Finish.
Should I go ahead and run Oldtimer?
Thanks again Peku
Hi cool2024
Ok, continue with Oldtimer and run DDS again and post both logs
Thanks peku006
cool2024
2010-08-16, 22:33
Hi Peku,
Here's the Old Timer and DDS logs you asked for. Thanks again Peku.
=========== Old Timer ==========
All processes killed
========== FILES ==========
DllUnregisterServer procedure not found in C:\windows\system32\uexsl.dll
C:\windows\system32\uexsl.dll moved successfully.
DllUnregisterServer procedure not found in C:\windows\system32\qxdqei.dll
C:\windows\system32\qxdqei.dll moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Allison
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 3226919 bytes
->FireFox cache emptied: 54774978 bytes
->Flash cache emptied: 6316 bytes
User: Chris
->Temp folder emptied: 1903420 bytes
->Temporary Internet Files folder emptied: 3940898 bytes
->Java cache emptied: 44176839 bytes
->FireFox cache emptied: 36385401 bytes
->Google Chrome cache emptied: 110179034 bytes
->Flash cache emptied: 2227788 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Doris
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 200801 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 2084 bytes
User: Fred
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 23983 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 1399 bytes
User: Justin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 5443185 bytes
->Flash cache emptied: 348 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Nathan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 21888674 bytes
->Flash cache emptied: 731 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 2202 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 41544 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1524201 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 601559 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 273.00 mb
OTM by OldTimer - Version 3.1.15.0 log created on 08162010_083302
Files moved on Reboot...
File C:\WINDOWS\temp\mcmsc_TR53OcqQOovckcg not found!
Registry entries deleted on Reboot...
=========== DDS ==========
DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 13:24:24.57 on Mon 08/16/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.658 [GMT -7:00]
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Prolific\One Button\OneBtn.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chris\My Documents\Downloads\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Lock Computer on Starup] rundll32.exe user32.dll, LockWorkStation
uRun: [Google Update] "c:\documents and settings\chris\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Prolific_OneButton] c:\program files\prolific\one button\OneBtn.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [abdtffrd] c:\documents and settings\networkservice\local settings\application data\ojrlxyfih\bqjluoqshdw.exe
dRun: [Ibacihiciquci] rundll32.exe "c:\windows\JGI14fa.dll",Startup
dRun: [abdtffrd] c:\documents and settings\networkservice\local settings\application data\ojrlxyfih\bqjluoqshdw.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: En&queue current page with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open &link target with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with Bulk I&mage Downloader - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\iqkv9dh5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/#General
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-9-16 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-9-16 5248]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-4-3 10112]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 214664]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2004-4-4 151476]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-5 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-3-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-3-5 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-5 35272]
R3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [2004-4-4 18272]
R3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [2004-4-4 21184]
S0 mgthop;mgthop;c:\windows\system32\drivers\mgthop.sys [2010-8-13 0]
S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-8-15 256512]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-3-5 40552]
S3 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-6-28 241731]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-4 223128]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-8 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-3-5 606736]
=============== Created Last 30 ================
2010-08-16 15:33:02 0 d-----w- C:\_OTM
2010-08-15 17:58:52 98816 ----a-w- c:\windows\sed.exe
2010-08-15 17:58:52 77312 ----a-w- c:\windows\MBR.exe
2010-08-15 17:58:52 256512 ----a-w- c:\windows\PEV.exe
2010-08-15 17:58:52 161792 ----a-w- c:\windows\SWREG.exe
2010-08-15 17:58:43 0 d-s---w- C:\ComboFix
2010-08-14 01:35:42 0 ----a-w- c:\windows\system32\drivers\mgthop.sys
2010-08-14 01:35:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-10 20:22:45 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 20:20:20 0 d-sha-r- C:\cmdcons
2010-08-10 20:16:07 77312 ----a-w- c:\windows\MBR.exe-old
2010-08-10 20:16:03 256512 ----a-w- c:\windows\PEV.exe-old
2010-08-10 20:16:03 161792 ----a-w- c:\windows\SWREG.exe-old
2010-08-10 20:16:02 98816 ----a-w- c:\windows\sed.exe-old
2010-08-09 21:18:15 0 d-----w- c:\docume~1\chris\applic~1\B4EDEAF43A12AE939F3D7AD57EDBA29E
==================== Find3M ====================
2010-07-15 22:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-26 07:24:48 99756 ----a-w- c:\windows\War3Unin.dat
============= FINISH: 13:25:08.70 ===============
Hi cool2024
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Files
c:\windows\JGI14fa.dll
c:\documents and settings\networkservice\local settings\application data\ojrlxyfih
c:\windows\system32\drivers\mgthop.sys
:services
mgthop
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Thanks peku006
cool2024
2010-08-17, 21:58
Here is the OTM log you asked for. Did you need a DDS log as well? Thanks Peku.
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\JGI14fa.dll
c:\windows\JGI14fa.dll moved successfully.
c:\documents and settings\networkservice\local settings\application data\ojrlxyfih folder moved successfully.
c:\windows\system32\drivers\mgthop.sys moved successfully.
========== SERVICES/DRIVERS ==========
Service mgthop stopped successfully!
Service mgthop deleted successfully!
OTM by OldTimer - Version 3.1.15.0 log created on 08172010_125502
Hi cool2024
Did you need a DDS log as well?
not now....
1 - Download and Run Malwarebytes' Anti-Malware
Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
2 - Status Check
Please reply with
the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC
Thanks peku006
cool2024
2010-08-19, 07:04
Here's the MBAM log you asked for. Thanks again Peku.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4447
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
8/18/2010 9:59:38 PM
mbam-log-2010-08-18 (21-59-38).txt
Scan type: Full scan (C:\|)
Objects scanned: 370092
Time elapsed: 1 hour(s), 59 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abdtffrd (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\B4EDEAF43A12AE939F3D7AD57EDBA29E\secureapp70700.exeold (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\My Documents\WinXP Cracks\XPsp1crk.exe (Spyware.Passwords) -> Not selected for removal.
C:\Documents and Settings\Chris\My Documents\Broder\Gazillionaire\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\My Documents\Broder\Gazillionaire\FFF-ReflexV2.exe.bak (Trojan.Backdoor) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\ocr\rapidshare.com\asmCaptcha\test.exe (Malware.Packer) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\router\FRITZ!Box\nc.exe (PUP.KeyLogger) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1041\A0264406.exe (Trojan.Backdoor) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1041\A0265516.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0265581.dll (Trojan.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266595.exe (Rogue.SecuritySuite) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266596.exe (Trojan.FakeAlert) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266614.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\_OTM\MovedFiles\08162010_083302\C_windows\system32\qxdqei.dll (LSP.Hijacker) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\08162010_083302\C_windows\system32\uexsl.dll (LSP.Hijacker) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\08172010_125502\c_documents and settings\networkservice\local settings\application data\ojrlxyfih\bqjluoqshdw.exe-old (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\08172010_125502\c_windows\JGI14fa.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\ComboFix\Combo-Fix.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
Hi cool2024
why do not you remove these ?
C:\Documents and Settings\Chris\My Documents\WinXP Cracks\XPsp1crk.exe (Spyware.Passwords) -> Not selected for removal.
C:\Documents and Settings\Chris\My Documents\Broder\Gazillionaire\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\My Documents\Broder\Gazillionaire\FFF-ReflexV2.exe.bak (Trojan.Backdoor) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\ocr\rapidshare.com\asmCaptcha\test.exe (Malware.Packer) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\router\FRITZ!Box\nc.exe (PUP.KeyLogger) -> Not selected for removal.
Please download CKScanner (http://downloads.malwareremoval.com/CKScanner.exe) ... Save it to your desktop.
Make sure that CKScanner.exe is on the your desktop before running the application!
Double-click on the CKScanner.exe icon... then click the Search For Files button.
When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
A text file will be created on your desktop named "ckfiles.txt"
Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
Please copy/paste the contents of ckfiles.txt in your next reply.
Thanks peku006
cool2024
2010-08-19, 22:00
I didn't delete them because I use Cryptload and keygens and have been using them for a couple of years with no problems. I can go ahead and uninstall/delete them and use something else.
cool2024
2010-08-20, 07:14
I went ahead and deleted the CryptLoad and crack files and did the CKScanner scan. Here's the CKScanner log you asked for. Thanks again Peku.
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-626d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrack.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackpointlight.cfx
c:\documents and settings\allison\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackshadow.cfx
c:\documents and settings\allison\my documents\my music\itunes\itunes music\marjorie fair\self help serenade\08 cracks in the wall.m4a
c:\documents and settings\chris\my documents\programs\raxco perfectdisk 7.0 build 42+keygen\pd70ds.exe
c:\documents and settings\chris\my documents\programs\raxco perfectdisk 7.0 build 42+keygen\raxco perfectdisk 7.0 build 42.txt
c:\documents and settings\chris\my documents\shared\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\keygen.exe
c:\documents and settings\chris\my documents\shared\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\nero-7.10.1.0_eng_trial_wch.exe
c:\documents and settings\chris\my documents\shared\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\torrent downloaded from demonoid.com.txt
c:\documents and settings\chris\my documents\shared\reflexive gazillionaire iii full\precracked-enjoy.txt
c:\documents and settings\chris\my documents\shared\sweaw crack\eawupdate1_2.exe
c:\documents and settings\chris\my documents\shared\sweaw crack\fc4c-3d8-05f-d411-uk20.txt
c:\documents and settings\chris\my documents\shared\sweaw crack\rld-swew.rar
c:\documents and settings\chris\my documents\shared\sweaw crack\tntswen1.rar
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrack.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatest.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestlightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackalphatestshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcracklightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcracklightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrack.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncracklightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackndetailncrackshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetailcrackshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrack.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatest.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcracklightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcracklightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrack.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackpointlight.cfx
c:\documents and settings\doris\my documents\battlefield 2 demo\mods\bf2\cache\{d7b71ee2-0212-11cf-696d-135ca1c2cb35}_2446_2\rashaderstmbasedetaildirtcrackshadow.cfx
c:\program files\valve\steam\steamapps\cool2024\counter-strike source\cstrike\maps\cs_crackhouse.bsp
c:\program files\valve\steam\steamapps\cool2024\counter-strike source\cstrike\maps\cs_crackhouse.nav
c:\program files\valve\steam\steamapps\cool2024\counter-strike source\cstrike\maps\soundcache\cs_crackhouse.cache
scanner sequence 3.ZZ.11
----- EOF -----
Hi cool2024
why do you need keygens , have you illegal software ?
Note:
We do not support the use of illegal Pirated/Warez/Cracked software.
If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.
cool2024
2010-08-20, 21:35
I understand and have deleted the files below and uninstalled the listed programs from my computer.
c:\documents and settings\chris\my documents\programs\raxco perfectdisk 7.0 build 42+keygen\pd70ds.exe
c:\documents and settings\chris\my documents\programs\raxco perfectdisk 7.0 build 42+keygen\raxco perfectdisk 7.0 build 42.txt
c:\documents and settings\chris\my documents\shared\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\keygen.exe
c:\documents and settings\chris\my documents\shared\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\nero-7.10.1.0_eng_trial_wch.exe
c:\documents and settings\chris\my documents\shared\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\torrent downloaded from demonoid.com.txt
c:\documents and settings\chris\my documents\shared\reflexive gazillionaire iii full\precracked-enjoy.txt
c:\documents and settings\chris\my documents\shared\sweaw crack\eawupdate1_2.exe
c:\documents and settings\chris\my documents\shared\sweaw crack\fc4c-3d8-05f-d411-uk20.txt
c:\documents and settings\chris\my documents\shared\sweaw crack\rld-swew.rar
c:\documents and settings\chris\my documents\shared\sweaw crack\tntswen1.rar
Hi cool2024
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
Please go to Kaspersky Online Virus Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) © Kaspersky Lab to perform an online antivirus scan.
Read the "Advantages - Requirements and Limitations" then press... the ACCEPT...button.
The latest program and definition files will be downloaded. It takes time, please be patient, let it finish.
Once the files have been downloaded, click on the SETTINGS...button.
In the scan settings make sure the following are selected:
Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers and other potentially dangerous programs
Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases
By default the above items should already be checked.
Click the SAVE...button, if you made any changes.
Now under the Scan section on the left:Select My Computer
The program will start scanning your system. This takes a while, be patient... let it run.
Once the scan is complete it will display if your system has been infected.
Save the scan results as a Text file ... save it to your desktop.
Copy and paste the saved scan results file in your next reply.
Thanks peku006
cool2024
2010-08-24, 05:10
I've gone ahead and run TFC and downloaded and updated Kaspersky Online Scanner but Kaspersky comes back with an error message saying:
Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.
You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Key is expired]
I've tried to restart the computer and restart firefox and still get the same message. I can try downloading, installing and running the 30-day trial version if you want.
Thanks again Peku.
Hi cool2024
Let`s try this......
ESET NOD32 Online Scan
Vista - W7 users: You will need to to right-click on the IE or FF icons on the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
Note: If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then double click on it to install.Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner (http://www.eset.com/onlinescan/) - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
Press the "ESET Online Scanner" button.
Check the box next to "YES, I accept the Terms of Use."
Click "Start"... a window will open... it may appear nothing is happening... please be patient.
Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
Once installed, the scanner will be initialized.
Click "Start". Make sure that the options: Remove found threats is UNCHECKED
Leave the "default" settings under Advanced as they are, if not set , please check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click "Start"... ESET scanner will begin to download the virus signatures database.
When the signatures have been downloaded, the scan will start automatically.
Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!
Thanks peku006
cool2024
2010-08-25, 07:52
Hi Peku,
Here's the ESET scan log you asked for. Thanks so much.
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2fd285057f4e484d911f7c2c3fe48dfb
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-25 05:48:25
# local_time=2010-08-24 10:48:25 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 88399151 88399151 0 0
# compatibility_mode=5121 16776533 100 96 890437 35538258 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=183507
# found=7
# cleaned=0
# scan_time=6575
C:\Documents and Settings\Chris\My Documents\Programs\Install_AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Program Files\AIM95\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Win32/Wimpixo.AA trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1041\A0265479.dll Win32/Wimpixo.AA trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0265581.dll a variant of Win32/Cimag.DC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266595.exe Win32/Adware.SpywareProtect2009 application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266596.exe Win32/Adware.AntimalwareDoctor application 00000000000000000000000000000000 I
Hi cool2024
Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.
How's the computer running now? Any problems?
Thanks peku006
cool2024
2010-08-26, 07:43
Here are the results of the Security Check. My computer is running ok and Google results are returning valid results. Thanks so much for everything Peku.
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
McAfee SecurityCenter
McAfee Virtual Technician
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
DH Driver Cleaner Professional Edition
Java Web Start
Java(TM) 6 Update 17
Java(TM) 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.1_02
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.6) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)
``````````End of Log````````````
Hi cool2024
Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.
Download the latest version of Java Runtime Environment (JRE) 6 Here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
Click the orange Download JRE button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (or Programs and Features-Uninstall Programs in Vista) & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button. (Select item then select Uninstall in Vista)
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
Trace and Log Files Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel
Update Adobe Reader
Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version 9.3.3.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here (http://www.filehippo.com/download_foxit/download/423817ca4028434efe3f6174b07468b0/FoxitReader30_enu_Setup.exe). It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
Thanks peku006
cool2024
2010-08-31, 04:04
Ok I installed the new Java update, the Adobe Reader update, and uninstalled all previous versions of Java. Thanks so much Peku.
Hi cool2024
Your log now appears to be clean. Congratulations! :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Delete DDS, CKScanner and SecurityCheck from your desktop.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Here are some things that I think are worth having a look at if you don't already know a bout them:.
Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy safe surfing! :bigthumb:
peku006
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)