View Full Version : Need help getting rid of pesky virus. Couldn't download Spybot.
Hi there,
I have a very annoying virus on my laptop. I used to use Spybot but could no longer open the shortcut. I uninstalled it and tried to download it again but was unable to. My machine is a lot slower and I can no longer stream videos since the virus came into my life. Sigh! Any help you could give me would be very much appreciated. Here is the DDS Log as instructed:
DDS (Ver_10-11-01.01) - NTFSx86
Run by Paul Larke at 6:23:09.78 on 02/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.759 [GMT 0:00]
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\All Users\Application Data\Cricket Broadband EC1705\userdata\ouc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cricket Broadband EC1705\Cricket Broadband EC1705.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: Tango: {cb7c4fa1-6a49-48e6-a749-5e90b98f9ad9} - c:\windows\system32\5978.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Tango: {cb7c4fa0-6a49-48e6-a749-5e90b98f9ad9} - c:\windows\system32\5978.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
uRun: [Google Update] "c:\documents and settings\paul larke\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SfKg6wIPuSp] c:\documents and settings\paul larke\application data\microsoft\windows\jnipmo.exe
uRun: [HW_OPENEYE_OUC_Cricket Broadband EC1705] "c:\program files\cricket broadband ec1705\updatedog\ouc.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [omaneswrcx.tmp] "c:\docume~1\paulla~1\locals~1\temp\omaneswrcx.tmp"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\docume~1\windows\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 93.188.162.87,93.188.161.227
TCP: {69603E1B-9631-4785-A397-489EFA903470} = 172.28.221.53 172.28.221.54
TCP: {BB188DE4-E80B-4002-AB83-A7FA500CAE2A} = 93.188.162.87,93.188.161.227
TCP: {FCC4B3F7-5C59-4B8C-8D60-79EFD50C0BAB} = 93.188.162.87,93.188.161.227
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-4-1 83208]
R2 DCService.exe;DCService.exe;c:\documents and settings\all users\application data\datacardservice\DCService.exe [2009-12-22 225280]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-8-9 46112]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-8-16 36112]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-8-6 110984]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-9-27 117504]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2010-9-27 70656]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-24 281600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-5 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\tmntsrv.exe --> c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [?]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\tmpfw.exe --> c:\progra~1\trendm~1\intern~1\TmPfw.exe [?]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe --> c:\progra~1\trendm~1\intern~1\tmproxy.exe [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-6-25 183880]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2010-9-27 101504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-8-17 9216]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== Created Last 30 ================
2010-11-01 00:55:38 -------- d-sh--w- c:\documents and settings\paul larke\PrivacIE
2010-10-29 01:29:37 -------- d-----w- c:\docume~1\paulla~1\locals~1\applic~1\The Weather Channel
2010-10-25 04:58:44 -------- d-----w- c:\program files\MSECache
2010-10-22 20:46:28 -------- d-sh--w- c:\documents and settings\paul larke\IETldCache
2010-10-22 19:53:54 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-22 19:53:24 -------- d-----w- c:\windows\ie8updates
2010-10-22 19:51:03 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-22 19:51:03 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-22 19:51:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-22 19:45:05 -------- dc-h--w- c:\windows\ie8
2010-10-14 04:09:15 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 04:09:15 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 04:08:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-09-27 17:03:53 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-09-27 17:03:52 13712 ----a-w- c:\windows\system32\sporder.dll
2010-09-27 17:03:46 724608 ----a-w- c:\windows\system32\bmutil.dll
2010-09-27 17:03:46 312448 ----a-w- c:\windows\system32\bminstall.dll
2010-09-27 17:03:36 132224 ----a-w- c:\windows\system32\bmdumpd.bin
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GSX rev.AS112M -> \Device\Ide\IdePort0
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6A1EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88c9e872; SUB DWORD [EBP-0x4], 0x88c9e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A720AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000093[0x8A725030]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A735D98]
[0x8A5C66C8] -> IRP_MJ_CREATE -> 0x8A6A1EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8032GSX_______________________AS112M__#5&1b11c02c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x8A6A1AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
Filesystem trace:
Registry trace:
called modules: ntoskrnl.exe hal.dll bdfsfltr.sys bdselfpr.sys
============= FINISH: 6:25:21.73 ===============
Thank you so much. I appreciate your time!
Joy
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.com)
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post
Hi km2357,
I really appreciate your help. Here are the two DDS logs as you requested. However, when I downloaded gmer.zip and got to the part where it began scanning, my computer restarted on it's own before it was finished producing a log. I tried a second time and the same thing happened. I had closed all opened programs and did not touch my PC during the scan. Please advise.
DDS log:
DDS (Ver_10-11-01.01) - NTFSx86
Run by Paul Larke at 6:23:09.78 on 02/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.759 [GMT 0:00]
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\All Users\Application Data\Cricket Broadband EC1705\userdata\ouc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cricket Broadband EC1705\Cricket Broadband EC1705.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: Tango: {cb7c4fa1-6a49-48e6-a749-5e90b98f9ad9} - c:\windows\system32\5978.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Tango: {cb7c4fa0-6a49-48e6-a749-5e90b98f9ad9} - c:\windows\system32\5978.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
uRun: [Google Update] "c:\documents and settings\paul larke\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SfKg6wIPuSp] c:\documents and settings\paul larke\application data\microsoft\windows\jnipmo.exe
uRun: [HW_OPENEYE_OUC_Cricket Broadband EC1705] "c:\program files\cricket broadband ec1705\updatedog\ouc.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [omaneswrcx.tmp] "c:\docume~1\paulla~1\locals~1\temp\omaneswrcx.tmp"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\docume~1\windows\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 93.188.162.87,93.188.161.227
TCP: {69603E1B-9631-4785-A397-489EFA903470} = 172.28.221.53 172.28.221.54
TCP: {BB188DE4-E80B-4002-AB83-A7FA500CAE2A} = 93.188.162.87,93.188.161.227
TCP: {FCC4B3F7-5C59-4B8C-8D60-79EFD50C0BAB} = 93.188.162.87,93.188.161.227
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-4-1 83208]
R2 DCService.exe;DCService.exe;c:\documents and settings\all users\application data\datacardservice\DCService.exe [2009-12-22 225280]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-8-9 46112]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-8-16 36112]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-8-6 110984]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-9-27 117504]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2010-9-27 70656]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-24 281600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-5 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\tmntsrv.exe --> c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [?]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\tmpfw.exe --> c:\progra~1\trendm~1\intern~1\TmPfw.exe [?]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe --> c:\progra~1\trendm~1\intern~1\tmproxy.exe [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-6-25 183880]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2010-9-27 101504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-8-17 9216]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== Created Last 30 ================
2010-11-01 00:55:38 -------- d-sh--w- c:\documents and settings\paul larke\PrivacIE
2010-10-29 01:29:37 -------- d-----w- c:\docume~1\paulla~1\locals~1\applic~1\The Weather Channel
2010-10-25 04:58:44 -------- d-----w- c:\program files\MSECache
2010-10-22 20:46:28 -------- d-sh--w- c:\documents and settings\paul larke\IETldCache
2010-10-22 19:53:54 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-22 19:53:24 -------- d-----w- c:\windows\ie8updates
2010-10-22 19:51:03 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-22 19:51:03 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-22 19:51:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-22 19:45:05 -------- dc-h--w- c:\windows\ie8
2010-10-14 04:09:15 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 04:09:15 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 04:08:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-09-27 17:03:53 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-09-27 17:03:52 13712 ----a-w- c:\windows\system32\sporder.dll
2010-09-27 17:03:46 724608 ----a-w- c:\windows\system32\bmutil.dll
2010-09-27 17:03:46 312448 ----a-w- c:\windows\system32\bminstall.dll
2010-09-27 17:03:36 132224 ----a-w- c:\windows\system32\bmdumpd.bin
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GSX rev.AS112M -> \Device\Ide\IdePort0
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6A1EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88c9e872; SUB DWORD [EBP-0x4], 0x88c9e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A720AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000093[0x8A725030]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A735D98]
[0x8A5C66C8] -> IRP_MJ_CREATE -> 0x8A6A1EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8032GSX_______________________AS112M__#5&1b11c02c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x8A6A1AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
Filesystem trace:
Registry trace:
called modules: ntoskrnl.exe hal.dll bdfsfltr.sys bdselfpr.sys
============= FINISH: 6:25:21.73 ===============
Since GMER is giving you trouble, I'll have you try another rootkit scanner in its place.
C: is FIXED (NTFS) - 73 GiB total, 6.719 GiB free.
You have very low free space. I suggest you go into Add/Remove Programs and uninstall any programs you no longer use/need. Also if you have any music, movie or other files you can copy them to a External Hard Drive or USB/Flash Drive to free up some space as well.
Remove one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:
BitDefender Internet Security 2010
Trend Micro PC-cillin Internet Security 2007
Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
Please remove one of them.
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
µTorrent
LimeWire 4.14.7
Vuze
Vuze Remote Toolbar
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1 Download and run SysProt
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items only:
Process
Kernel Modes
SSDT
Kernel Hooks
Hidden Files
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
Step # 2 Download and Run CKScanner.exe
Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
In your next post/reply, I need to see the following:
1. CKScanner Log
2. SysProt Log
Hello km2357,
I have done as you asked and uninstalled uTorrent, Limewire, Vuze and Bitdefender. I tried to uninstall Trend Micro PC-cillin Internet Security 2007 but it wouldn't let me- it said the uninstall process was interrupted. I also got rid of some other programs I don't really use.
Here are the CKScanner Log and SysProt Log:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 848
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 896
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 924
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 968
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 980
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1172
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1188
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1256
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1296
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1508
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1760
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 424
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PID: 484
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 500
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\All Users\Application Data\DataCardService\DCService.exe
PID: 532
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 640
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 684
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 816
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 1652
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1840
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 788
Hidden: No
Window Visible: No
Name: C:\WINDOWS\RTHDCPL.exe
PID: 1612
Hidden: No
Window Visible: No
Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 1680
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 1684
Hidden: No
Window Visible: No
Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 1852
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1864
Hidden: No
Window Visible: No
Name: C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
PID: 1876
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PID: 2192
Hidden: No
Window Visible: No
Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 2564
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\All Users\Application Data\Cricket Broadband EC1705\userdata\ouc.exe
PID: 2776
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\dwwin.exe
PID: 2808
Hidden: No
Window Visible: Yes
Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2960
Hidden: No
Window Visible: No
Name: C:\Program Files\Cricket Broadband EC1705\Cricket Broadband EC1705.exe
PID: 3564
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PID: 3708
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PID: 660
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\All Users\Application Data\Cricket Broadband EC1705\userdata\LiveUpd.exe
PID: 3192
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Paul Larke\Desktop\SysProt\SysProt.exe
PID: 2420
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Paul Larke\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A3BA6000
Module End: A3BB1000
Hidden: No
Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7987000
Module End: F7989000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7897000
Module End: F789A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F75A8000
Module End: F75D6000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7989000
Module End: F798B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7597000
Module End: F75A8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F75F7000
Module End: F7601000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F789B000
Module End: F789E000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F789F000
Module End: F78A3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A4F000
Module End: F7A50000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7707000
Module End: F770E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F74D9000
Module End: F74F7000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7607000
Module End: F7612000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F74BA000
Module End: F74D9000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F798B000
Module End: F798D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7494000
Module End: F74BA000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F78A3000
Module End: F78A6000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7A50000
Module End: F7A51000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F770F000
Module End: F7714000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7617000
Module End: F7624000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F747C000
Module End: F7494000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7627000
Module End: F7630000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F7637000
Module End: F7644000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F745C000
Module End: F747C000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F744A000
Module End: F745C000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7433000
Module End: F744A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7B52000
Module End: F7BDF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7406000
Module End: F7433000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F787D000
Module End: F7897000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\BMLoad.sys
Service Name: BMLoad
Module Base: F798D000
Module End: F798F000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F7547000
Module End: F7550000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: B9171000
Module End: B92D8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B915D000
Module End: B9171000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F77DF000
Module End: F77E4000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B9139000
Module End: B915D000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F77E7000
Module End: F77EF000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7537000
Module End: F7542000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7527000
Module End: F7537000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7517000
Module End: F7526000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: B9116000
Module End: B9139000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F77EF000
Module End: F77F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B90EE000
Module End: B9116000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7507000
Module End: F7514000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F77F7000
Module End: F77FD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: B90BE000
Module End: B90EE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79CD000
Module End: F79CF000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F77FF000
Module End: F7805000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
Service Name: rtl8139
Module Base: F7807000
Module End: F780D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ar5211.sys
Service Name: AR5211
Module Base: B9038000
Module End: B90BE000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F7927000
Module End: F792B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\lmimirr.sys
Service Name: lmimirr
Module Base: F7AB0000
Module End: F7AB1000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\srs_sscfilter.sys
Service Name: SRS_SSCFilter
Module Base: F74F7000
Module End: F7500000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
Service Name: ---
Module Base: F780F000
Module End: F7817000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
Service Name: ---
Module Base: F7647000
Module End: F7651000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\surroundhp_kern_i386.sys
Service Name: ---
Module Base: BA2CC000
Module End: BA2D7000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
Service Name: ---
Module Base: B9AD0000
Module End: B9ADB000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7AB1000
Module End: F7AB2000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: B9AC0000
Module End: B9ACD000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BA620000
Module End: BA623000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B9021000
Module End: B9038000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: B9AB0000
Module End: B9ABB000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: B9AA0000
Module End: B9AAC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7817000
Module End: F781C000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B9010000
Module End: B9021000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: B9A90000
Module End: B9A99000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F781F000
Module End: F7824000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F774F000
Module End: F7754000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B8FE0000
Module End: B9010000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: B9A80000
Module End: B9A8A000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79CF000
Module End: F79D1000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: B8F82000
Module End: B8FE0000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BA604000
Module End: BA608000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
Service Name: tmcfw
Module Base: B8DC3000
Module End: B8F82000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ew_jubusenum.sys
Service Name: huawei_enumerator
Module Base: B8DB1000
Module End: B8DC3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Service Name: ---
Module Base: B9A70000
Module End: B9A7E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\wdf01000.sys
Service Name: Wdf01000
Module Base: B8D40000
Module End: B8DB1000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F76B7000
Module End: F76C1000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F76E7000
Module End: F76F6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: AC90E000
Module End: ACD50000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: AC8EA000
Module End: AC90E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: AF9BC000
Module End: AF9CB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: A8648000
Module End: A8763000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: AA9E7000
Module End: AA9EF000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: AFAC3000
Module End: AFAC5000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: A94D9000
Module End: A94DA000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: AFAC1000
Module End: AFAC3000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: A987B000
Module End: A9881000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: AFABF000
Module End: AFAC1000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: AFABD000
Module End: AFABF000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: A9873000
Module End: A9878000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: A986B000
Module End: A9873000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: AB795000
Module End: AB798000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: A8615000
Module End: A8628000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: A85BC000
Module End: A8615000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\tcpipBM.SYS
Service Name: tcpipBM
Module Base: A9863000
Module End: A9868000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: A8594000
Module End: A85BC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: A856E000
Module End: A8594000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: A854C000
Module End: A856E000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: A9301000
Module End: A930A000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: A92F1000
Module End: A92FA000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\StarOpen.SYS
Service Name: StarOpen
Module Base: A985B000
Module End: A9861000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tmtdi.sys
Service Name: tmtdi
Module Base: A853B000
Module End: A854C000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: A8510000
Module End: A853B000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: A84A0000
Module End: A8510000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: A92D1000
Module End: A92DC000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: A417F000
Module End: A418F000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: A40A9000
Module End: A40AC000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: AD594000
Module End: AD599000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: B9D97000
Module End: B9D98000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Tmpreflt.sys
Service Name: Tmpreflt
Module Base: BA2BC000
Module End: BA2C9000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VsapiNT.sys
Service Name: Vsapint
Module Base: A1255000
Module End: A1367000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\TmXPFlt.sys
Service Name: tmxpflt
Module Base: A1213000
Module End: A1255000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B8474000
Module End: B8478000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A11BE000
Module End: A11EB000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
Service Name: LMIRfsDriver
Module Base: BA25C000
Module End: BA266000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A10C6000
Module End: A111E000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Service Name: tmcomm
Module Base: A1086000
Module End: A109E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tm_mbd_c.sys
Service Name: tmmbd
Module Base: A1041000
Module End: A105E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A0EEC000
Module End: A0F01000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: A413F000
Module End: A414E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A0905000
Module End: A0946000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: A9468000
Module End: A9470000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
Service Name: hwdatacard
Module Base: A0780000
Module End: A079A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ewusbnet.sys
Service Name: ewusbnet
Module Base: A0763000
Module End: A0780000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: A9458000
Module End: A945F000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\asyncmac.sys
Service Name: AsyncMac
Module Base: A33F1000
Module End: A33F5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: A0648000
Module End: A0673000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\Close2Exp
Status: Access denied
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\Expired
Status: Access denied
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\Invalid
Status: Access denied
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\media\images\bg_blue.png.gzip
Status: Access denied
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\media\images\keyfail.png.gzip
Status: Access denied
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\media\images
Status: Access denied
Object: C:\Program Files\BitDefender\BitDefender 2010\NAG\media
Status: Access denied
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\_restore{4B8C2810-F28D-4237-A45D-5B1831426ECE}
Status: Access denied
Thank you!!!!
Joy
I tried to uninstall Trend Micro PC-cillin Internet Security 2007...
Uninstalling BitDefender was fine, but don't uninstall Trend Micro, otherwise you'd have no AntiVirus programs on your computer. You had 2 AntiViruses (BitDefender and Trend Micro) and I wanted you to uninstall one which you did and that was BitDefender. :)
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
Hi km2357!
I tried to disable Trend Micro but I can't even get into it to do that, nothing happens when I click on it. Can't even uninstall it, like I said. So I'm not sure if that's a problem, but when I saved ComboFix to my desktop, clicked on it, clicked on "Run" nothing happens. I tried a couple times. Argh. Please advise! Thanks!!!
Joy
I tried to disable Trend Micro but I can't even get into it to do that, nothing happens when I click on it. Can't even uninstall it, like I said.
Ok, let's fully remove Trend Micro then and we'll replace it with another AntiVirus.
To remove Trend Micro, follow the instructions as the link below:
http://esupport.trendmicro.com/4/How-do-I-remove-Trend-Micro-Internet-Security-Pro-and-Trend-Micro-Inte.aspx#xp
Once you've removed Trend Micro, it'll need to be replaced by another AntiVirus. Here are a few free ones to choose from:
1)Antivir PersonalEdition Classic (http://www.free-av.com/)
2)avast! Home Edition (http://www.avast.com/free-antivirus-download)
Download and install only one!
when I saved ComboFix to my desktop, clicked on it, clicked on "Run" nothing happens. I tried a couple times.
When you say you "clicked" on ComboFix.exe, did you single or double-click on it? If you did single, you need to double-click your mouse on it. Make sure you disable your new AntiVirus before you run ComboFix.
Hey!
I was finally able to run ComboFix! I think I was having a problem earlier because it wouldn't directly save to my desktop so I changed my toolbar settings so that it would ask me where I wanted it saved. Also, I renamed the application to Combo-Fix before I ran it.
I also did what you asked and was able to uninstall Trend Micro. I replaced it with Avira.
I also just noticed that the pop-ups I used to get when turning on my computer are gone!! That's a good sign!!
Anyway, here is the log:
ComboFix 10-11-14.01 - Paul Larke 15/11/2010 2:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.1437 [GMT 0:00]
Running from: c:\documents and settings\Paul Larke\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\Paul Larke\Application Data\GabPath
c:\documents and settings\Paul Larke\Application Data\GabPath\config.cfg
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.
2010-11-02 06:19 . 2010-11-02 06:20 -------- d-----w- c:\program files\ERUNT
2010-11-01 00:55 . 2010-11-01 00:55 -------- d-sh--w- c:\documents and settings\Paul Larke\PrivacIE
2010-10-29 01:29 . 2010-10-29 01:29 -------- d-----w- c:\documents and settings\Paul Larke\Local Settings\Application Data\The Weather Channel
2010-10-25 04:58 . 2010-10-25 04:58 -------- d-----w- c:\program files\MSECache
2010-10-22 20:47 . 2010-10-22 20:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-22 20:46 . 2010-10-22 20:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-22 20:46 . 2010-10-22 20:46 -------- d-sh--w- c:\documents and settings\Paul Larke\IETldCache
2010-10-22 19:53 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-22 19:51 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-22 19:51 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-22 19:51 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-22 19:45 . 2010-10-22 19:50 -------- dc-h--w- c:\windows\ie8
2010-10-17 23:25 . 2010-10-17 23:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-27 17:03 . 2010-09-27 17:05 70656 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2010-09-27 17:03 . 2010-09-27 17:05 69632 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2010-09-27 17:03 . 2010-09-27 17:05 51584 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2010-09-27 17:03 . 2010-09-27 17:05 26880 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2010-09-27 17:03 . 2010-09-27 17:05 117504 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-09-27 17:03 . 2010-09-27 17:05 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2010-09-27 17:03 . 2010-09-27 17:05 105728 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-09-27 17:03 . 2010-09-27 17:05 101504 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2010-09-27 17:03 . 2010-09-25 22:55 24192 ----a-w- c:\windows\system32\drivers\tcpipBM.sys
2010-09-27 17:03 . 2010-09-09 06:20 28672 ----a-w- c:\windows\system32\drivers\usbccid.sys
2010-09-27 17:03 . 2010-09-27 17:05 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-09-27 17:03 . 2010-09-25 22:55 13184 ----a-w- c:\windows\system32\drivers\BMLoad.sys
2010-09-27 17:03 . 2010-09-09 06:20 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-09-27 17:03 . 2010-09-09 06:20 1461992 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01009.dll
2010-09-27 17:03 . 2010-09-25 22:55 13712 ----a-w- c:\windows\system32\sporder.dll
2010-09-27 17:03 . 2010-09-25 22:55 724608 ----a-w- c:\windows\system32\bmutil.dll
2010-09-27 17:03 . 2010-09-25 22:55 312448 ----a-w- c:\windows\system32\bminstall.dll
2010-09-27 17:03 . 2010-09-25 22:55 132224 ----a-w- c:\windows\system32\bmdumpd.bin
2010-09-18 11:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2002-08-29 03:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-08-29 03:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2002-08-29 03:41 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-01 11:51 . 2001-08-23 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 02:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-23 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-23 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-17 11:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 03:40 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-05-17 481280]
"Google Update"="c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
"HW_OPENEYE_OUC_Cricket Broadband EC1705"="c:\program files\Cricket Broadband EC1705\UpdateDog\ouc.exe" [2010-09-27 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-07 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Documents\Windows\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 14:22 63040 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-02-06 17:52 462935 ----a-w- c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-07 17:22 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BT Home Hub\\Help\\SmartBridge\\BTHelpNotifier.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/11/2010 20:43 135336]
R2 DCService.exe;DCService.exe;c:\documents and settings\All Users\Application Data\DataCardService\DCService.exe [22/12/2009 09:17 225280]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [27/09/2010 17:05 117504]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [27/09/2010 17:05 70656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/10/2010 18:38 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [27/09/2010 17:05 101504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/08/2010 18:07 9216]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Paul Larke\Desktop\SysProt\SysProtDrv.sys --> c:\documents and settings\Paul Larke\Desktop\SysProt\SysProtDrv.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-16 19:48]
2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-05 18:38]
2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-05 18:38]
2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-362288127-725345543-1003Core.job
- c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-15 06:53]
2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-362288127-725345543-1003UA.job
- c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-15 06:53]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{CB7C4FA1-6A49-48E6-A749-5E90B98F9AD9} - c:\windows\system32\5978.dll
Toolbar-{CB7C4FA0-6A49-48E6-A749-5E90B98F9AD9} - c:\windows\system32\5978.dll
WebBrowser-{CB7C4FA0-6A49-48E6-A749-5E90B98F9AD9} - c:\windows\system32\5978.dll
HKCU-Run-SfKg6wIPuSp - c:\documents and settings\Paul Larke\Application Data\Microsoft\Windows\jnipmo.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-OE - c:\program files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 2007\pccguide.exe
AddRemove-GabPath - c:\documents and settings\Paul Larke\Application Data\GabPath\GPUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 02:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-11-15 02:29:11
ComboFix-quarantined-files.txt 2010-11-15 02:29
Pre-Run: 8,275,865,600 bytes free
Post-Run: 8,507,396,096 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 94815BE75C00CD69130A0EADD59462DC
Thanks!!!
Joy
I also just noticed that the pop-ups I used to get when turning on my computer are gone!! That's a good sign!!
That's definitely a good sign. :)
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
DDS::
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on joy25's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
Done! Here are the logs you requested:
ComboFix 10-11-14.01 - Paul Larke 15/11/2010 5:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.1416 [GMT 0:00]
Running from: c:\documents and settings\Paul Larke\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Paul Larke\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.
2010-11-13 20:53 . 2010-11-13 20:53 -------- d-----w- c:\documents and settings\Paul Larke\Application Data\Avira
2010-11-13 20:43 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-13 20:43 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-13 20:43 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-13 20:43 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-13 20:43 . 2010-11-13 20:43 -------- d-----w- c:\program files\Avira
2010-11-13 20:43 . 2010-11-13 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-02 06:19 . 2010-11-02 06:20 -------- d-----w- c:\program files\ERUNT
2010-11-01 00:55 . 2010-11-01 00:55 -------- d-sh--w- c:\documents and settings\Paul Larke\PrivacIE
2010-10-29 01:29 . 2010-10-29 01:29 -------- d-----w- c:\documents and settings\Paul Larke\Local Settings\Application Data\The Weather Channel
2010-10-25 04:58 . 2010-10-25 04:58 -------- d-----w- c:\program files\MSECache
2010-10-22 20:47 . 2010-10-22 20:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-22 20:46 . 2010-10-22 20:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-22 20:46 . 2010-10-22 20:46 -------- d-sh--w- c:\documents and settings\Paul Larke\IETldCache
2010-10-22 19:53 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-22 19:51 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-22 19:51 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-22 19:51 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-22 19:45 . 2010-10-22 19:50 -------- dc-h--w- c:\windows\ie8
2010-10-17 23:25 . 2010-10-17 23:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-27 17:03 . 2010-09-27 17:05 70656 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2010-09-27 17:03 . 2010-09-27 17:05 69632 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2010-09-27 17:03 . 2010-09-27 17:05 51584 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2010-09-27 17:03 . 2010-09-27 17:05 26880 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2010-09-27 17:03 . 2010-09-27 17:05 117504 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-09-27 17:03 . 2010-09-27 17:05 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2010-09-27 17:03 . 2010-09-27 17:05 105728 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-09-27 17:03 . 2010-09-27 17:05 101504 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2010-09-27 17:03 . 2010-09-25 22:55 24192 ----a-w- c:\windows\system32\drivers\tcpipBM.sys
2010-09-27 17:03 . 2010-09-09 06:20 28672 ----a-w- c:\windows\system32\drivers\usbccid.sys
2010-09-27 17:03 . 2010-09-27 17:05 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-09-27 17:03 . 2010-09-25 22:55 13184 ----a-w- c:\windows\system32\drivers\BMLoad.sys
2010-09-27 17:03 . 2010-09-09 06:20 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-09-27 17:03 . 2010-09-09 06:20 1461992 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01009.dll
2010-09-27 17:03 . 2010-09-25 22:55 13712 ----a-w- c:\windows\system32\sporder.dll
2010-09-27 17:03 . 2010-09-25 22:55 724608 ----a-w- c:\windows\system32\bmutil.dll
2010-09-27 17:03 . 2010-09-25 22:55 312448 ----a-w- c:\windows\system32\bminstall.dll
2010-09-27 17:03 . 2010-09-25 22:55 132224 ----a-w- c:\windows\system32\bmdumpd.bin
2010-09-18 11:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2002-08-29 03:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-08-29 03:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2002-08-29 03:41 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-01 11:51 . 2001-08-23 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 02:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-23 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-23 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-17 11:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 03:40 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-05-17 481280]
"Google Update"="c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
"HW_OPENEYE_OUC_Cricket Broadband EC1705"="c:\program files\Cricket Broadband EC1705\UpdateDog\ouc.exe" [2010-09-27 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-07 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Documents\Windows\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 14:22 63040 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-02-06 17:52 462935 ----a-w- c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-07 17:22 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BT Home Hub\\Help\\SmartBridge\\BTHelpNotifier.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/11/2010 20:43 135336]
R2 DCService.exe;DCService.exe;c:\documents and settings\All Users\Application Data\DataCardService\DCService.exe [22/12/2009 09:17 225280]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [27/09/2010 17:05 117504]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [27/09/2010 17:05 70656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/10/2010 18:38 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [27/09/2010 17:05 101504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/08/2010 18:07 9216]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Paul Larke\Desktop\SysProt\SysProtDrv.sys --> c:\documents and settings\Paul Larke\Desktop\SysProt\SysProtDrv.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-16 19:48]
2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-05 18:38]
2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-05 18:38]
2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-362288127-725345543-1003Core.job
- c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-15 06:53]
2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-362288127-725345543-1003UA.job
- c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-15 06:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 05:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(1648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\RTHDCPL.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\documents and settings\Paul Larke\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\documents and settings\All Users\Application Data\Cricket Broadband EC1705\userdata\ouc.exe
c:\program files\Cricket Broadband EC1705\Cricket Broadband EC1705.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-15 05:33:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-15 05:33
ComboFix2.txt 2010-11-15 02:29
Pre-Run: 8,510,746,624 bytes free
Post-Run: 8,485,081,088 bytes free
- - End Of File - - E1E9E1578F33205DE7387EE337E32984
DDS (Ver_10-11-10.01) - NTFSx86
Run by Paul Larke at 5:41:48.45 on 15/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.1300 [GMT 0:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\All Users\Application Data\Cricket Broadband EC1705\userdata\ouc.exe
C:\Program Files\Cricket Broadband EC1705\Cricket Broadband EC1705.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Larke\Desktop\dds.pif
============== Pseudo HJT Report ===============
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
uRun: [Google Update] "c:\documents and settings\paul larke\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [HW_OPENEYE_OUC_Cricket Broadband EC1705] "c:\program files\cricket broadband ec1705\updatedog\ouc.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\docume~1\windows\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {69603E1B-9631-4785-A397-489EFA903470} = 172.28.221.53 172.28.221.54
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-13 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-13 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-13 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-13 60936]
R2 DCService.exe;DCService.exe;c:\documents and settings\all users\application data\datacardservice\DCService.exe [2009-12-22 225280]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-8-9 46112]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-9-27 117504]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2010-9-27 70656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-5 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2010-9-27 101504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-8-17 9216]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\paul larke\desktop\sysprot\sysprotdrv.sys --> c:\documents and settings\paul larke\desktop\sysprot\SysProtDrv.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== Created Last 30 ================
2010-11-15 05:40:58 -------- d--h--w- c:\windows\PIF
2010-11-15 02:13:10 -------- d-sha-r- C:\cmdcons
2010-11-15 02:05:50 98816 ----a-w- c:\windows\sed.exe
2010-11-15 02:05:50 89088 ----a-w- c:\windows\MBR.exe
2010-11-15 02:05:50 256512 ----a-w- c:\windows\PEV.exe
2010-11-15 02:05:50 161792 ----a-w- c:\windows\SWREG.exe
2010-11-13 20:53:00 -------- d-----w- c:\docume~1\paulla~1\applic~1\Avira
2010-11-13 20:43:44 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-13 20:43:43 -------- d-----w- c:\program files\Avira
2010-11-13 20:43:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-11-01 00:55:38 -------- d-sh--w- c:\documents and settings\paul larke\PrivacIE
2010-10-29 01:29:37 -------- d-----w- c:\docume~1\paulla~1\locals~1\applic~1\The Weather Channel
2010-10-25 04:58:44 -------- d-----w- c:\program files\MSECache
2010-10-22 20:46:28 -------- d-sh--w- c:\documents and settings\paul larke\IETldCache
2010-10-22 19:53:54 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-22 19:53:24 -------- d-----w- c:\windows\ie8updates
2010-10-22 19:51:03 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-22 19:51:03 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-22 19:51:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-22 19:45:05 -------- dc-h--w- c:\windows\ie8
==================== Find3M ====================
2010-09-27 17:03:53 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-09-27 17:03:52 13712 ----a-w- c:\windows\system32\sporder.dll
2010-09-27 17:03:46 724608 ----a-w- c:\windows\system32\bmutil.dll
2010-09-27 17:03:46 312448 ----a-w- c:\windows\system32\bminstall.dll
2010-09-27 17:03:36 132224 ----a-w- c:\windows\system32\bmdumpd.bin
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
============= FINISH: 5:42:07.12 ===============
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u22 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 15
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleanerİ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Post the MalwareBytes' Log in your next post/reply.
Okay, I have done all of the above. Here is the Malwarebytes' log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5123
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
16/11/2010 02:01:01
mbam-log-2010-11-16 (02-01-01).txt
Scan type: Quick scan
Objects scanned: 157994
Time elapsed: 8 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\GabPath (Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\IEBarProperties (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.
C:\Program Files\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\ResultDns\resultdns110.exe (Adware.ResultDns) -> Quarantined and deleted successfully.
Thanks!
Joy
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
Hi,
I couldn't run the scan because when I clicked on the link, a pop up box said: "Computer does not meet the requirements for Kaspersky Online Scanner 7.0 launch. To check the hardware and software system requirements, press the Help button." Please advise.
To answer your last question, my computer is running like a dream!! I am so happy. It's fast, there are no pop ups, it's wonderful.
One thing that came up though- last night there was a popup from Avira saying that a virus was found. Here is the log:
Avira AntiVir Personal
Report file date: 16 November 2010 08:01
Scanning for 3043866 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SALAP000110
Version information:
BUILD.DAT : 10.0.0.592 31823 Bytes 09/08/2010 11:00:00
AVSCAN.EXE : 10.0.3.1 434344 Bytes 02/08/2010 16:09:56
AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 13:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 02/08/2010 16:10:00
LUKERES.DLL : 10.0.0.1 12648 Bytes 11/02/2010 00:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 10:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 20:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 18:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 17:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 05/03/2010 12:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 16:10:03
VBASE006.VDF : 7.10.7.218 2294784 Bytes 02/06/2010 16:10:04
VBASE007.VDF : 7.10.9.165 4840960 Bytes 23/07/2010 16:10:06
VBASE008.VDF : 7.10.11.133 3454464 Bytes 13/09/2010 20:46:13
VBASE009.VDF : 7.10.13.80 2265600 Bytes 02/11/2010 20:46:36
VBASE010.VDF : 7.10.13.81 2048 Bytes 02/11/2010 20:46:36
VBASE011.VDF : 7.10.13.82 2048 Bytes 02/11/2010 20:46:37
VBASE012.VDF : 7.10.13.83 2048 Bytes 02/11/2010 20:46:37
VBASE013.VDF : 7.10.13.116 147968 Bytes 04/11/2010 20:46:39
VBASE014.VDF : 7.10.13.147 146944 Bytes 07/11/2010 20:46:41
VBASE015.VDF : 7.10.13.180 123904 Bytes 09/11/2010 20:46:42
VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 20:46:43
VBASE017.VDF : 7.10.13.212 2048 Bytes 11/11/2010 20:46:44
VBASE018.VDF : 7.10.13.213 2048 Bytes 11/11/2010 20:46:44
VBASE019.VDF : 7.10.13.214 2048 Bytes 11/11/2010 20:46:44
VBASE020.VDF : 7.10.13.215 2048 Bytes 11/11/2010 20:46:45
VBASE021.VDF : 7.10.13.216 2048 Bytes 11/11/2010 20:46:46
VBASE022.VDF : 7.10.13.217 2048 Bytes 11/11/2010 20:46:46
VBASE023.VDF : 7.10.13.218 2048 Bytes 11/11/2010 20:46:46
VBASE024.VDF : 7.10.13.219 2048 Bytes 11/11/2010 20:46:47
VBASE025.VDF : 7.10.13.220 2048 Bytes 11/11/2010 20:46:47
VBASE026.VDF : 7.10.13.221 2048 Bytes 11/11/2010 20:46:48
VBASE027.VDF : 7.10.13.222 2048 Bytes 11/11/2010 20:46:48
VBASE028.VDF : 7.10.13.223 2048 Bytes 11/11/2010 20:46:49
VBASE029.VDF : 7.10.13.224 2048 Bytes 11/11/2010 20:46:49
VBASE030.VDF : 7.10.13.225 2048 Bytes 11/11/2010 20:46:49
VBASE031.VDF : 7.10.13.237 73728 Bytes 13/11/2010 20:46:51
Engineversion : 8.2.4.98
AEVDF.DLL : 8.1.2.1 106868 Bytes 02/08/2010 16:09:54
AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 13/11/2010 20:47:23
AESCN.DLL : 8.1.6.1 127347 Bytes 02/08/2010 16:09:53
AESBX.DLL : 8.1.3.1 254324 Bytes 02/08/2010 16:09:53
AERDL.DLL : 8.1.9.2 635252 Bytes 13/11/2010 20:47:19
AEPACK.DLL : 8.2.3.11 471416 Bytes 13/11/2010 20:47:15
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 02/08/2010 16:09:52
AEHEUR.DLL : 8.1.2.41 3043703 Bytes 13/11/2010 20:47:12
AEHELP.DLL : 8.1.14.0 246134 Bytes 13/11/2010 20:46:59
AEGEN.DLL : 8.1.3.24 401781 Bytes 13/11/2010 20:46:57
AEEMU.DLL : 8.1.2.0 393588 Bytes 02/08/2010 16:09:49
AECORE.DLL : 8.1.17.0 196982 Bytes 13/11/2010 20:46:55
AEBB.DLL : 8.1.1.0 53618 Bytes 02/08/2010 16:09:48
AVWINLL.DLL : 10.0.0.0 19304 Bytes 02/08/2010 16:09:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 02/08/2010 16:09:55
AVREP.DLL : 10.0.0.8 62209 Bytes 17/06/2010 15:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 02/08/2010 16:09:55
AVSCPLR.DLL : 10.0.3.1 83816 Bytes 02/08/2010 16:09:56
AVARKT.DLL : 10.0.0.14 227176 Bytes 02/08/2010 16:09:54
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 02/08/2010 16:09:55
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 15:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 02/08/2010 16:09:56
NETNT.DLL : 10.0.0.0 11624 Bytes 17/06/2010 15:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 14:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 02/08/2010 16:10:08
Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_b438c264\guard_slideup.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Start of the scan: 16 November 2010 08:01
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ouc.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SRSSSC.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Cricket Broadband EC1705.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'DCService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Starting the file scan:
Begin scan in 'C:\System Volume Information\_restore{4B8C2810-F28D-4237-A45D-5B1831426ECE}\RP607\A0180633.sys'
C:\System Volume Information\_restore{4B8C2810-F28D-4237-A45D-5B1831426ECE}\RP607\A0180633.sys
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4f5b9bd3.qua'.
End of the scan: 16 November 2010 08:02
Used time: 00:15 Minute(s)
The scan has been done completely.
0 Scanned directories
37 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
36 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes
The scan results will be transferred to the Guard.
Great to hear that your computer is running like a dream.
What Avira found and cleaned was an infected System Restore point. In an upcoming post, I'll show you how to remove any remaining infected System Restore points and set a new, clean one.
Since Kaspersky didn't work, let's try another online scanner:
I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan) Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. Accept any security warnings from your browser. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Make sure that Remove found threats is unchecked
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Okay, I did the scan! Here's the report:
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
If there are no more problems, you're good to go. :)
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.exe
The SysProt Log
CKScanner.exe
The CKScanner Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can find SpywareBlaster here:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload_free.html)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.spybot.info/showthread.php?t=279)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Alright, I have done everything you recommended! Deleted everything, new restore point, internet security, etc.!!!
I can't thank you enough for all your help!!! All the instructions were easy and I learned a lot as well! Seriously, I am very happy and plan on keeping my laptop virus free for a long time! (knock on plastic)
Thanks so much and see attached picture of happy computer and owner! Haha. :)
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could
help.
Note: If it has been three days or more since your last post, and the helper assisting
you posted a response to that post to which you did not reply, your topic will not be
reopened. At that point, if you still require help, please start a new topic and include
a fresh HijackThis log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread
re-opened, please send me or your helper a private message (pm). A valid, working link to
the closed topic is required.