View Full Version : Need help removing virus
My lap top will not let me go to any Microsoft website. Also I cannot download ANY anti-virus software, It always says there was an error.. It also will not let me do any windows updates. I'm not sure what to do at all.. I can still go on regular websites without any issues, and It doesn't really run slow or anything either.
I was able to run the DDS without a problem :
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2010 12:29:49 PM
System Uptime: 3/25/2011 8:25:58 PM (1 hours ago)
.
Motherboard: Gateway | |
Processor: Intel(R) Celeron(R) M processor 1.50GHz | Socket 478 | 1496/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 51 GiB total, 38.058 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.222 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP44: 1/7/2011 8:19:37 PM - Removed Adobe Reader 7.0
RP45: 1/7/2011 8:52:27 PM - Removed Microsoft Office Standard Edition 2003
RP46: 1/11/2011 1:50:55 PM - System Checkpoint
RP47: 1/14/2011 9:41:29 PM - Restore Operation
RP48: 1/15/2011 12:10:20 AM - Removed Ask Toolbar.
RP49: 1/15/2011 12:21:46 AM - Removed Microsoft Digital Image Starter Edition 2006 Editor
RP50: 1/15/2011 12:22:38 AM - Removed Microsoft Digital Image Starter Edition 2006 Library
RP51: 1/15/2011 12:24:26 AM - Removed Microsoft Works
RP52: 1/15/2011 12:26:48 AM - Removed MSXML 6.0 Parser (KB933579)
RP53: 1/15/2011 2:16:02 AM - Installed Safari
RP54: 1/19/2011 3:27:20 PM - System Checkpoint
RP55: 1/21/2011 5:48:48 PM - System Checkpoint
RP56: 1/22/2011 5:53:45 PM - System Checkpoint
RP57: 1/25/2011 3:29:41 PM - System Checkpoint
RP58: 1/31/2011 10:47:31 PM - System Checkpoint
RP59: 2/7/2011 12:34:14 PM - System Checkpoint
RP60: 2/8/2011 4:17:27 PM - System Checkpoint
RP61: 2/15/2011 9:30:51 PM - System Checkpoint
RP62: 2/23/2011 12:28:57 AM - System Checkpoint
RP63: 3/13/2011 6:22:23 PM - System Checkpoint
RP64: 3/17/2011 10:35:29 AM - Removed Apple Application Support
RP65: 3/17/2011 10:36:26 AM - Removed Safari
RP66: 3/24/2011 10:20:34 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems AC'97 Modem
America Online (Choose which version to remove)
Apple Application Support
Apple Software Update
Auslogics Disk Defrag
BlackBerry Desktop Software 4.7
Browser Address Error Redirector
CCleaner
ERUNT 1.1j
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
J2SE Runtime Environment 5.0 Update 2
Java Auto Updater
McAfee Security Scan Plus
Microsoft .NET Framework 2.0
Microsoft Office Standard Edition 2003
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Recovery Software Suite Gateway
Roxio Media Manager
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Softonic-Eng7 Toolbar
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
.
==== Event Viewer Messages From Past Week ========
.
3/25/2011 8:27:05 PM, error: Service Control Manager [7023] - The Windows Helper service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
3/25/2011 8:27:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
.
==== End Of File ===========================
Hi,
Please post dds.txt contents too.
Hi, thank you very much for responding, It's greatly appreciated.
Here is the dds.txt :
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 10:54:01.84 on Sat 04/09/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.41 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\pjv5o5v5.tmp\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
uStart Page = hxxp://google.ca/
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
uURLSearchHooks: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
R2 Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\unwise_.exe [2010-4-10 171795]
S2 fnejprp;Windows Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-10-28 14336]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-01-15 09:50:33 1409 ----a-w- c:\windows\QTFont.for
2010-04-10 18:00:14 171795 --sh--r- c:\windows\fonts\unwise_.exe
.
============= FINISH: 10:54:36.92 ===============
Hi again,
Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan.
On completion of the scan click save log, save it to your desktop and post in your next reply.
Hey,
The page tried to load, but failed to open because ''safari find the server public.avast.com". This happens all too frequently, any site to help get rid of this bug will not load..
Hi,
If you have another system and USB stick available you can download the tool to it. First you have to protect the USB stick by running Panda USB and AutoRun Vaccine (http://research.pandasecurity.com/Panda-USB-and-AutoRun-Vaccine/) to make sure infection doesn't spread to other system.
Hi again! Sorry it has taken me some time to reply. I had to grab a USB stick and I just got it today. We ran the Panda software to be safe. The download from the USB stick to my computer had no issues. I then ran a scan and saved the log, here it is ...
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-13 15:53:18
-----------------------------
15:53:18.828 OS Version: Windows 5.1.2600 Service Pack 2
15:53:18.828 Number of processors: 1 586 0xD08
15:53:18.828 ComputerName: YOUR-CB97154035 UserName: Owner
15:53:19.343 Initialize success
15:53:23.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:53:23.765 Disk 0 Vendor: FUJITSU_MHV2060AT_PL 000000A0 Size: 57231MB BusType: 3
15:53:25.781 Disk 0 MBR read successfully
15:53:25.781 Disk 0 MBR scan
15:53:27.828 Disk 0 scanning sectors +117194175
15:53:27.875 Disk 0 scanning C:\WINDOWS\system32\drivers
15:53:32.687 Service scanning
15:53:33.843 Disk 0 trace - called modules:
15:53:33.859 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
15:53:33.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x812ad030]
15:53:33.875 3 CLASSPNP.SYS[fac8305b] -> nt!IofCallDriver -> \Device\00000093[0x81225f18]
15:53:33.875 5 ACPI.sys[fab79620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8124e2f8]
15:53:33.875 Scan finished successfully
Oh, also, I am now having issues getting onto the internet, Safari says there was a problem loading the page and It shuts down If I click 'send error report', or even If I click 'don't send'.. If I put the notification box to the side I am still able to get on though. Thank you again for your help.
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds logs.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
It worked perfectly, here are the logs..
Combofix log:
ComboFix 11-04-13.06 - Owner 04/14/2011 11:25:33.1.1 - x86
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\Application Data\PriceGong
c:\documents and settings\Owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Owner\WINDOWS
c:\windows\Fonts\unwise_.exe
c:\windows\system32\ckczjk.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\srwsvc.sys
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WINDOWS_HOSTS_CONTROLLER
-------\Service_Windows Hosts Controller
-------\Legacy_fnejprp
-------\Legacy_srwsvc
-------\Service_fnejprp
-------\Service_srwsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-03-14 to 2011-04-14 )))))))))))))))))))))))))))))))
.
.
2011-04-14 16:27 . 2011-04-14 16:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-04-11 05:56 . 2011-04-11 05:56 61440 -c--a-w- C:\patcher.exe
2011-03-26 04:05 . 2011-03-26 04:05 -------- d-----w- c:\program files\ERUNT
2011-03-19 07:20 . 2011-03-19 07:20 -------- d-----w- c:\windows\Sun
2011-03-17 17:27 . 2011-03-17 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Softonic-Eng7
2011-03-17 17:27 . 2011-03-17 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-15 09:50 . 2011-01-15 09:50 1409 ----a-w- c:\windows\QTFont.for
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-07-01 02:59 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-11-01 163840]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-10 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-19 21:06 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1270920978\EE\AOLHostManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-08-26 18:23 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1270920978\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9991:TCP"= 9991:TCP:PORT2
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"56193:TCP"= 56193:TCP:FD
"1919:TCP"= 1919:TCP:nuxzkov
"20775:TCP"= 20775:TCP:FD
"55117:TCP"= 55117:TCP:FD
"8059:TCP"= 8059:TCP:FD
"21151:TCP"= 21151:TCP:FD
"51274:TCP"= 51274:TCP:FD
"36995:TCP"= 36995:TCP:FD
"41132:TCP"= 41132:TCP:FD
"26101:TCP"= 26101:TCP:FD
"44886:TCP"= 44886:TCP:FD
"5406:TCP"= 5406:TCP:FD
"35937:TCP"= 35937:TCP:FD
"31474:TCP"= 31474:TCP:FD
"20562:TCP"= 20562:TCP:FD
"34033:TCP"= 34033:TCP:FD
"15982:TCP"= 15982:TCP:FD
"24523:TCP"= 24523:TCP:FD
"47999:TCP"= 47999:TCP:FD
"39240:TCP"= 39240:TCP:FD
"2721:TCP"= 2721:TCP:FD
"15117:TCP"= 15117:TCP:FD
"21714:TCP"= 21714:TCP:FD
"60373:TCP"= 60373:TCP:FD
"2514:TCP"= 2514:TCP:FD
"33959:TCP"= 33959:TCP:FD
"26707:TCP"= 26707:TCP:FD
"14061:TCP"= 14061:TCP:FD
"47508:TCP"= 47508:TCP:FD
"16986:TCP"= 16986:TCP:FD
"25690:TCP"= 25690:TCP:FD
"56400:TCP"= 56400:TCP:FD
"26177:TCP"= 26177:TCP:FD
"3934:TCP"= 3934:TCP:FD
"38291:TCP"= 38291:TCP:FD
"19659:TCP"= 19659:TCP:FD
"58623:TCP"= 58623:TCP:FD
"29175:TCP"= 29175:TCP:FD
"27495:TCP"= 27495:TCP:FD
"35544:TCP"= 35544:TCP:FD
"14346:TCP"= 14346:TCP:FD
"9052:TCP"= 9052:TCP:FD
"3378:TCP"= 3378:TCP:FD
"18376:TCP"= 18376:TCP:FD
"21903:TCP"= 21903:TCP:FD
"30549:TCP"= 30549:TCP:FD
"53632:TCP"= 53632:TCP:FD
"36116:TCP"= 36116:TCP:FD
"4811:TCP"= 4811:TCP:FD
"44546:TCP"= 44546:TCP:FD
"3661:TCP"= 3661:TCP:FD
"42063:TCP"= 42063:TCP:FD
"14194:TCP"= 14194:TCP:FD
"50488:TCP"= 50488:TCP:FD
"26557:TCP"= 26557:TCP:FD
"60602:TCP"= 60602:TCP:FD
"4567:TCP"= 4567:TCP:FD
"11253:TCP"= 11253:TCP:FD
"54664:TCP"= 54664:TCP:FD
"22846:TCP"= 22846:TCP:FD
"61261:TCP"= 61261:TCP:FD
"27385:TCP"= 27385:TCP:FD
"41817:TCP"= 41817:TCP:FD
"55141:TCP"= 55141:TCP:FD
.
S2 fnejprp;Windows Helper;c:\windows\system32\svchost.exe -k netsvcs [10/28/2006 11:10 PM 14336]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fnejprp
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 12:05
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fnejprp]
"ServiceDll"="c:\windows\system32\ckczjk.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\windows\AGRSMMSG.exe
.
**************************************************************************
.
Completion time: 2011-04-14 12:08:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-14 18:08
.
Pre-Run: 40,550,871,040 bytes free
Post-Run: 40,774,492,160 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot
.
- - End Of File - - 2FDBCF7763BB9A8533EC1FC73F0F6FB5
[B]DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 12:13:19.59 on Thu 04/14/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.26 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\dwwin.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mgqxahrf.tmp\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
uURLSearchHooks: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
S2 fnejprp;Windows Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-10-28 14336]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-04-14 17:09:20 -------- dcsha-r- C:\cmdcons
2011-04-14 16:56:54 98816 ----a-w- c:\windows\sed.exe
2011-04-14 16:56:54 89088 ----a-w- c:\windows\MBR.exe
2011-04-14 16:56:54 256512 ----a-w- c:\windows\PEV.exe
2011-04-14 16:56:54 161792 ----a-w- c:\windows\SWREG.exe
2011-04-14 16:27:51 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\PackageAware
2011-04-11 05:56:18 61440 -c--a-w- C:\patcher.exe
.
==================== Find3M ====================
.
2011-01-15 09:50:33 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 12:13:58.12 ===============
Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2010 12:29:49 PM
System Uptime: 4/14/2011 11:56:32 AM (1 hours ago)
.
Motherboard: Gateway | |
Processor: Intel(R) Celeron(R) M processor 1.50GHz | Socket 478 | 1496/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 51 GiB total, 37.984 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.222 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP47: 1/14/2011 9:41:29 PM - Restore Operation
RP48: 1/15/2011 12:10:20 AM - Removed Ask Toolbar.
RP49: 1/15/2011 12:21:46 AM - Removed Microsoft Digital Image Starter Edition 2006 Editor
RP50: 1/15/2011 12:22:38 AM - Removed Microsoft Digital Image Starter Edition 2006 Library
RP51: 1/15/2011 12:24:26 AM - Removed Microsoft Works
RP52: 1/15/2011 12:26:48 AM - Removed MSXML 6.0 Parser (KB933579)
RP53: 1/15/2011 2:16:02 AM - Installed Safari
RP54: 1/19/2011 3:27:20 PM - System Checkpoint
RP55: 1/21/2011 5:48:48 PM - System Checkpoint
RP56: 1/22/2011 5:53:45 PM - System Checkpoint
RP57: 1/25/2011 3:29:41 PM - System Checkpoint
RP58: 1/31/2011 10:47:31 PM - System Checkpoint
RP59: 2/7/2011 12:34:14 PM - System Checkpoint
RP60: 2/8/2011 4:17:27 PM - System Checkpoint
RP61: 2/15/2011 9:30:51 PM - System Checkpoint
RP62: 2/23/2011 12:28:57 AM - System Checkpoint
RP63: 3/13/2011 6:22:23 PM - System Checkpoint
RP64: 3/17/2011 10:35:29 AM - Removed Apple Application Support
RP65: 3/17/2011 10:36:26 AM - Removed Safari
RP66: 3/24/2011 10:20:34 AM - System Checkpoint
RP67: 4/5/2011 12:39:02 PM - System Checkpoint
RP68: 4/7/2011 11:31:15 AM - System Checkpoint
RP69: 4/9/2011 6:58:14 PM - System Checkpoint
RP70: 4/13/2011 4:37:24 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems AC'97 Modem
America Online (Choose which version to remove)
Apple Application Support
Apple Software Update
Auslogics Disk Defrag
BlackBerry Desktop Software 4.7
Browser Address Error Redirector
CCleaner
ERUNT 1.1j
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
J2SE Runtime Environment 5.0 Update 2
Java Auto Updater
McAfee Security Scan Plus
Microsoft .NET Framework 2.0
Microsoft Office Standard Edition 2003
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Recovery Software Suite Gateway
Roxio Media Manager
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Softonic-Eng7 Toolbar
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
.
==== Event Viewer Messages From Past Week ========
.
4/14/2011 9:53:57 AM, error: Service Control Manager [7023] - The Windows Helper service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
4/14/2011 9:53:57 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
4/14/2011 11:57:37 AM, error: Service Control Manager [7023] - The Windows Helper service terminated with the following error: The specified module could not be found.
4/14/2011 11:51:33 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SRWSVC\0000 disappeared from the system without first being prepared for removal.
4/14/2011 11:16:45 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/14/2011 11:05:30 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/14/2011 10:35:33 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
.
==== End Of File ===========================
After not being able to get McAfee to work, ever, I followed your instructions to re activate my antivirus, and It worked. It's asking me to update, but I'm not sure If I should or not, so I'll wait for your further instructions.
Hi,
Let's skip McAfee until system cleaning is fully finished.
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\ckczjk.dll
Driver::
fnejprp
NetSvc::
fnejprp
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9991:TCP"=-
"9999:TCP"=-
"1013:TCP"=-
"56193:TCP"=-
"1919:TCP"=-
"20775:TCP"=-
"55117:TCP"=-
"8059:TCP"=-
"21151:TCP"=-
"51274:TCP"=-
"36995:TCP"=-
"41132:TCP"=-
"26101:TCP"=-
"44886:TCP"=-
"5406:TCP"=-
"35937:TCP"=-
"31474:TCP"=-
"20562:TCP"=-
"34033:TCP"=-
"15982:TCP"=-
"24523:TCP"=-
"47999:TCP"=-
"39240:TCP"=-
"2721:TCP"=-
"15117:TCP"=-
"21714:TCP"=-
"60373:TCP"=-
"2514:TCP"=-
"33959:TCP"=-
"26707:TCP"=-
"14061:TCP"=-
"47508:TCP"=-
"16986:TCP"=-
"25690:TCP"=-
"56400:TCP"=-
"26177:TCP"=-
"3934:TCP"=-
"38291:TCP"=-
"19659:TCP"=-
"58623:TCP"=-
"29175:TCP"=-
"27495:TCP"=-
"35544:TCP"=-
"14346:TCP"=-
"9052:TCP"=-
"3378:TCP"=-
"18376:TCP"=-
"21903:TCP"=-
"30549:TCP"=-
"53632:TCP"=-
"36116:TCP"=-
"4811:TCP"=-
"44546:TCP"=-
"3661:TCP"=-
"42063:TCP"=-
"14194:TCP"=-
"50488:TCP"=-
"26557:TCP"=-
"60602:TCP"=-
"4567:TCP"=-
"11253:TCP"=-
"54664:TCP"=-
"22846:TCP"=-
"61261:TCP"=-
"27385:TCP"=-
"41817:TCP"=-
"55141:TCP"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 24 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is not checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Hi, :)
Java Is now installed with the lastest version. And here are my logs for you to analyze.. Thank you kindly for your time!
ESET report:
C:\WINDOWS\system32\asr_rbkvkf probably a variant of Win32/Agent.JDPZRFP trojan
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP70\A0109235.exe a variant of Win32/Hatob.E worm
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\unwise_.exe.vir a variant of Win32/Hatob.E worm
ComboFix resultant log:
ComboFix 11-04-13.06 - Owner 04/14/2011 13:24:35.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.11 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\ckczjk.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_fnejprp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-14 to 2011-04-14 )))))))))))))))))))))))))))))))
.
.
2011-04-14 16:27 . 2011-04-14 16:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-04-11 05:56 . 2011-04-11 05:56 61440 -c--a-w- C:\patcher.exe
2011-03-26 04:05 . 2011-03-26 04:05 -------- d-----w- c:\program files\ERUNT
2011-03-19 07:20 . 2011-03-19 07:20 -------- d-----w- c:\windows\Sun
2011-03-17 17:27 . 2011-03-17 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Softonic-Eng7
2011-03-17 17:27 . 2011-03-17 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-15 09:50 . 2011-01-15 09:50 1409 ----a-w- c:\windows\QTFont.for
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-07-01 02:59 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-11-01 163840]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-10 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-19 21:06 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1270920978\EE\AOLHostManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-08-26 18:23 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1270920978\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
.
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 13:34
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2011-04-14 13:36:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-14 19:35
ComboFix2.txt 2011-04-14 18:08
.
Pre-Run: 40,770,899,968 bytes free
Post-Run: 40,773,390,336 bytes free
.
- - End Of File - - 39342A32597DE83CF692897297DFB5EE
DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 18:05:37.07 on Thu 04/14/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.58 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\412B4DAB\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=3200 Series
uURLSearchHooks: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-04-14 20:04:57 -------- d-----w- c:\program files\ESET
2011-04-14 19:46:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-14 19:46:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 17:09:20 -------- dcsha-r- C:\cmdcons
2011-04-14 16:56:54 98816 ----a-w- c:\windows\sed.exe
2011-04-14 16:56:54 89088 ----a-w- c:\windows\MBR.exe
2011-04-14 16:56:54 256512 ----a-w- c:\windows\PEV.exe
2011-04-14 16:56:54 161792 ----a-w- c:\windows\SWREG.exe
2011-04-14 16:27:51 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\PackageAware
2011-04-11 05:56:18 61440 -c--a-w- C:\patcher.exe
.
==================== Find3M ====================
.
2011-01-15 09:50:33 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 18:06:39.65 ===============
Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2010 12:29:49 PM
System Uptime: 4/14/2011 1:52:44 PM (5 hours ago)
.
Motherboard: Gateway | |
Processor: Intel(R) Celeron(R) M processor 1.50GHz | Socket 478 | 1496/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 51 GiB total, 37.767 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.222 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP47: 1/14/2011 9:41:29 PM - Restore Operation
RP48: 1/15/2011 12:10:20 AM - Removed Ask Toolbar.
RP49: 1/15/2011 12:21:46 AM - Removed Microsoft Digital Image Starter Edition 2006 Editor
RP50: 1/15/2011 12:22:38 AM - Removed Microsoft Digital Image Starter Edition 2006 Library
RP51: 1/15/2011 12:24:26 AM - Removed Microsoft Works
RP52: 1/15/2011 12:26:48 AM - Removed MSXML 6.0 Parser (KB933579)
RP53: 1/15/2011 2:16:02 AM - Installed Safari
RP54: 1/19/2011 3:27:20 PM - System Checkpoint
RP55: 1/21/2011 5:48:48 PM - System Checkpoint
RP56: 1/22/2011 5:53:45 PM - System Checkpoint
RP57: 1/25/2011 3:29:41 PM - System Checkpoint
RP58: 1/31/2011 10:47:31 PM - System Checkpoint
RP59: 2/7/2011 12:34:14 PM - System Checkpoint
RP60: 2/8/2011 4:17:27 PM - System Checkpoint
RP61: 2/15/2011 9:30:51 PM - System Checkpoint
RP62: 2/23/2011 12:28:57 AM - System Checkpoint
RP63: 3/13/2011 6:22:23 PM - System Checkpoint
RP64: 3/17/2011 10:35:29 AM - Removed Apple Application Support
RP65: 3/17/2011 10:36:26 AM - Removed Safari
RP66: 3/24/2011 10:20:34 AM - System Checkpoint
RP67: 4/5/2011 12:39:02 PM - System Checkpoint
RP68: 4/7/2011 11:31:15 AM - System Checkpoint
RP69: 4/9/2011 6:58:14 PM - System Checkpoint
RP70: 4/13/2011 4:37:24 PM - System Checkpoint
RP71: 4/14/2011 1:45:54 PM - Installed Java(TM) 6 Update 24
RP72: 4/14/2011 1:50:24 PM - Removed J2SE Runtime Environment 5.0 Update 2
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems AC'97 Modem
America Online (Choose which version to remove)
Apple Application Support
Apple Software Update
Auslogics Disk Defrag
BlackBerry Desktop Software 4.7
Browser Address Error Redirector
CCleaner
ERUNT 1.1j
ESET Online Scanner v3
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
Java Auto Updater
Java(TM) 6 Update 24
McAfee Security Scan Plus
Microsoft .NET Framework 2.0
Microsoft Office Standard Edition 2003
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Recovery Software Suite Gateway
Roxio Media Manager
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Softonic-Eng7 Toolbar
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
.
==== Event Viewer Messages From Past Week ========
.
4/14/2011 9:53:57 AM, error: Service Control Manager [7023] - The Windows Helper service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
4/14/2011 3:55:27 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014A5957F00. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
4/14/2011 3:55:02 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
4/14/2011 11:57:37 AM, error: Service Control Manager [7023] - The Windows Helper service terminated with the following error: The specified module could not be found.
4/14/2011 11:51:33 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SRWSVC\0000 disappeared from the system without first being prepared for removal.
4/14/2011 11:16:45 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/14/2011 11:05:30 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/14/2011 10:35:33 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/14/2011 1:53:17 PM, error: Dhcp [1002] - The IP address lease 192.168.10.105 for the Network Card with network address 0014A5957F00 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
4/14/2011 1:50:48 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/14/2011 1:33:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
.
==== End Of File ===========================
:thanks:
Hi,
Delete C:\WINDOWS\system32\asr_rbkvkf file.
Do you know what C:\patcher.exe file is? Any symptoms left?
Hello, I deleted the file. I have no idea what C:\patcher.exe is, and I'm not able to check because my search option for all folders will not work (& I have no idea where to look for it!). Not exactly sure why.
My computer is running really good, best I've seen yet, all Microsoft websites work, my windows updates are alerting that I have updates to be done, my Firewall can be enabled again. And I can now have my machine on longer than 30 minutes without it becoming so slow it requires to be shut down.
No other symptoms, except Safari was acting a little weird, so I deleted it and downloaded Internet Explorer 8.
In your personal opinion is McAfee a good antiviral system to have? Or are there better?
Thanks for all of your help, I really respect what everyone here does.
:)
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=62142
Suspect::[76]
C:\patcher.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
In your personal opinion is McAfee a good antiviral system to have? Or are there better?
I'll give some suggestions regarding antivirus and other protection after we've finished your case :)
Hi, I ran Combofix like you said, here is resultant log:
ComboFix 11-04-15.01 - Owner 04/15/2011 19:57:23.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.12 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
file zipped: C:\patcher.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-16 01:43 . 2011-04-16 01:43 -------- d-----w- c:\windows\LastGood
2011-04-15 01:00 . 2011-04-15 01:00 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2011-04-15 00:58 . 2011-04-15 00:58 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2011-04-15 00:54 . 2011-04-15 00:54 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2011-04-15 00:54 . 2011-04-15 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-15 00:47 . 2011-04-15 00:50 -------- dc-h--w- c:\windows\ie8
2011-04-15 00:43 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-04-15 00:43 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-15 00:43 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-15 00:43 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-15 00:43 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-15 00:43 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-04-15 00:43 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 20:04 . 2011-04-14 20:04 -------- d-----w- c:\program files\ESET
2011-04-14 19:46 . 2011-04-14 19:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-14 19:46 . 2011-04-14 19:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 16:27 . 2011-04-14 16:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-04-11 05:56 . 2011-04-11 05:56 61440 -c--a-w- C:\patcher.exe
2011-03-26 04:05 . 2011-03-26 04:05 -------- d-----w- c:\program files\ERUNT
2011-03-19 07:20 . 2011-03-19 07:20 -------- d-----w- c:\windows\Sun
2011-03-17 17:27 . 2011-03-17 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Softonic-Eng7
2011-03-17 17:27 . 2011-03-17 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-14_18.05.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-15 15:46 . 2011-04-15 15:46 16384 c:\windows\temp\Perflib_Perfdata_684.dat
+ 2010-04-10 17:59 . 2009-01-08 00:21 26144 c:\windows\system32\spupdsvc.exe
+ 2010-04-10 17:51 . 2009-01-08 00:20 16928 c:\windows\system32\spmsg.dll
+ 2006-10-29 05:09 . 2009-03-08 10:31 46592 c:\windows\system32\pngfilt.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 24576 c:\windows\system32\nlsdl.dll
+ 2006-10-29 05:09 . 2009-03-08 10:31 48128 c:\windows\system32\mshtmler.dll
+ 2006-10-29 05:09 . 2009-03-08 10:31 66560 c:\windows\system32\mshtmled.dll
+ 2006-10-29 05:08 . 2009-03-08 10:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 10:31 . 2009-03-08 10:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 10:31 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-10-29 05:08 . 2009-03-08 10:34 43008 c:\windows\system32\licmgr10.dll
+ 2006-10-29 05:07 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 94720 c:\windows\system32\inseng.dll
+ 2006-10-29 05:07 . 2009-03-08 10:31 34816 c:\windows\system32\imgutil.dll
+ 2009-03-08 10:32 . 2009-03-08 10:32 36864 c:\windows\system32\ieudinit.exe
+ 2006-10-29 05:07 . 2009-03-08 10:32 71680 c:\windows\system32\iesetup.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 10:31 . 2009-03-08 10:31 59904 c:\windows\system32\icardie.dll
+ 2006-10-29 05:09 . 2009-03-08 10:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-10-29 05:09 . 2009-03-08 10:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2006-10-29 05:09 . 2009-03-08 10:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-10-29 05:08 . 2009-03-08 10:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2006-10-29 05:08 . 2009-03-08 10:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2006-10-29 05:07 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2006-10-29 05:07 . 2009-03-08 10:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2006-10-29 05:07 . 2009-03-08 10:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2006-10-29 05:06 . 2009-03-08 10:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2006-10-29 05:06 . 2009-03-08 10:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2006-10-29 05:06 . 2009-03-08 10:33 18944 c:\windows\system32\corpol.dll
+ 2006-10-29 05:06 . 2009-03-08 10:32 72704 c:\windows\system32\admparse.dll
+ 2011-04-15 00:51 . 2009-03-08 10:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2011-04-15 00:51 . 2009-03-08 10:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2011-04-15 00:51 . 2009-03-08 10:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 37888 c:\windows\ie8\url.dll
+ 2011-04-15 00:49 . 2009-03-08 20:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 39424 c:\windows\ie8\pngfilt.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 96256 c:\windows\ie8\occache.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 56832 c:\windows\ie8\mshtmler.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 29184 c:\windows\ie8\mshta.exe
+ 2011-04-15 00:47 . 2004-08-04 19:00 22016 c:\windows\ie8\licmgr10.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 15872 c:\windows\ie8\jsproxy.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 96256 c:\windows\ie8\inseng.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 35840 c:\windows\ie8\imgutil.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 93184 c:\windows\ie8\iexplore.exe
+ 2011-04-15 00:47 . 2004-08-04 19:00 62976 c:\windows\ie8\iesetup.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 48640 c:\windows\ie8\iernonce.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 81920 c:\windows\ie8\ieencode.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 34304 c:\windows\ie8\ie4uinit.exe
+ 2011-04-15 00:47 . 2004-08-04 19:00 38912 c:\windows\ie8\hmmapi.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 35328 c:\windows\ie8\corpol.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 99840 c:\windows\ie8\advpack.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 61440 c:\windows\ie8\admparse.dll
+ 2009-01-08 00:21 . 2009-01-08 00:21 121856 c:\windows\system32\xmllite.dll
+ 2006-10-29 05:10 . 2010-05-06 10:41 916480 c:\windows\system32\wininet.dll
+ 2009-03-08 10:34 . 2009-03-08 10:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2006-10-29 05:10 . 2009-03-08 10:34 236544 c:\windows\system32\webcheck.dll
+ 2006-10-29 05:10 . 2009-03-08 10:33 420352 c:\windows\system32\vbscript.dll
+ 2006-10-29 05:10 . 2009-03-08 10:34 105984 c:\windows\system32\url.dll
+ 2006-10-29 05:09 . 2009-01-08 00:20 474112 c:\windows\system32\shlwapi.dll
+ 2006-10-29 05:09 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll
+ 2006-10-29 05:09 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll
+ 2006-10-29 05:09 . 2009-03-08 10:34 193536 c:\windows\system32\msrating.dll
+ 2006-10-29 05:09 . 2009-03-08 10:22 156160 c:\windows\system32\msls31.dll
+ 2009-03-08 10:32 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 265720 c:\windows\system32\msdbg2.dll
+ 2006-10-29 05:07 . 2009-03-08 10:33 726528 c:\windows\system32\jscript.dll
+ 2011-04-14 19:46 . 2011-04-14 19:46 157472 c:\windows\system32\javaws.exe
+ 2011-04-14 19:46 . 2011-04-14 19:46 145184 c:\windows\system32\javaw.exe
+ 2011-04-14 19:46 . 2011-04-14 19:46 145184 c:\windows\system32\java.exe
+ 2009-03-08 10:22 . 2009-03-08 10:22 164352 c:\windows\system32\ieui.dll
+ 2006-10-29 05:07 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll
+ 2006-10-29 05:07 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 10:11 . 2009-03-08 10:11 445952 c:\windows\system32\ieapfltr.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 163840 c:\windows\system32\ieakui.dll
+ 2006-10-29 05:07 . 2009-03-08 10:33 229376 c:\windows\system32\ieaksie.dll
+ 2006-10-29 05:07 . 2009-03-08 10:33 125952 c:\windows\system32\ieakeng.dll
+ 2006-10-29 05:07 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe
+ 2006-10-29 05:07 . 2009-03-08 10:31 216064 c:\windows\system32\dxtrans.dll
+ 2006-10-29 05:07 . 2009-03-08 10:31 348160 c:\windows\system32\dxtmsft.dll
+ 2006-10-29 05:10 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-29 05:10 . 2009-03-08 10:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-29 05:10 . 2009-03-08 10:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2006-10-29 05:10 . 2009-03-08 10:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2006-10-29 05:10 . 2009-03-08 10:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2006-10-29 05:09 . 2009-01-08 00:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2006-10-29 05:09 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-29 05:09 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-10-29 05:09 . 2009-03-08 10:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2006-10-29 05:09 . 2009-03-08 10:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2006-10-29 05:07 . 2009-03-08 10:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2006-10-29 05:07 . 2009-03-08 20:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2006-10-29 05:07 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-10-29 05:07 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-10-29 05:07 . 2009-03-08 10:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2006-10-29 05:07 . 2009-03-08 10:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-29 05:07 . 2009-03-08 10:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-10-29 05:07 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-10-29 05:07 . 2009-03-08 10:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-10-29 05:07 . 2009-03-08 10:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-10-29 05:06 . 2009-03-08 10:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2006-10-29 05:06 . 2009-03-08 10:32 128512 c:\windows\system32\advpack.dll
+ 2011-04-14 19:47 . 2011-04-14 19:47 180224 c:\windows\Installer\c2102.msi
+ 2011-04-14 19:46 . 2011-04-14 19:46 675840 c:\windows\Installer\c20f2.msi
+ 2011-04-15 00:51 . 2009-03-08 10:34 914944 c:\windows\ie8updates\KB982381-IE8\wininet.dll
+ 2011-04-15 00:51 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll
+ 2011-04-15 00:51 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe
+ 2011-04-15 00:51 . 2009-03-08 10:34 109568 c:\windows\ie8updates\KB982381-IE8\occache.dll
+ 2011-04-15 00:51 . 2009-03-08 10:32 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll
+ 2011-04-15 00:51 . 2009-03-08 10:32 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll
+ 2011-04-15 00:51 . 2009-03-08 10:33 246784 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll
+ 2011-04-15 00:51 . 2009-03-08 10:31 183808 c:\windows\ie8updates\KB982381-IE8\iepeers.dll
+ 2011-04-15 00:51 . 2009-03-08 10:35 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll
+ 2011-04-15 00:51 . 2009-03-08 20:09 391536 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll
+ 2011-04-15 00:51 . 2009-03-08 10:32 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe
+ 2011-04-15 00:47 . 2005-10-21 03:39 658432 c:\windows\ie8\wininet.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 276480 c:\windows\ie8\webcheck.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 848384 c:\windows\ie8\vgx.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 417792 c:\windows\ie8\vbscript.dll
+ 2011-04-15 00:47 . 2005-11-05 03:16 609280 c:\windows\ie8\urlmon.dll
+ 2011-04-15 00:49 . 2009-01-08 00:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2011-04-15 00:49 . 2009-01-08 00:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2011-04-15 00:47 . 2005-10-21 03:39 473600 c:\windows\ie8\shlwapi.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 530944 c:\windows\ie8\mstime.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 146432 c:\windows\ie8\msrating.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 146432 c:\windows\ie8\msls31.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 448512 c:\windows\ie8\mshtmled.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 450560 c:\windows\ie8\jscript.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 251392 c:\windows\ie8\iepeers.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 323584 c:\windows\ie8\iedkcs32.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 221184 c:\windows\ie8\ieakui.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 216576 c:\windows\ie8\ieaksie.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 139264 c:\windows\ie8\ieakeng.dll
+ 2011-04-15 00:47 . 2005-10-21 03:39 205312 c:\windows\ie8\dxtrans.dll
+ 2011-04-15 00:47 . 2004-08-04 19:00 357888 c:\windows\ie8\dxtmsft.dll
+ 2011-04-15 15:46 . 2011-04-15 15:46 192512 c:\windows\ERDNT\AutoBackup\4-15-2011\Users\00000002\UsrClass.dat
+ 2011-04-15 15:46 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-15-2011\ERDNT.EXE
+ 2006-10-29 05:10 . 2010-05-06 10:41 1209344 c:\windows\system32\urlmon.dll
+ 2006-10-29 05:09 . 2009-01-08 00:20 1497088 c:\windows\system32\shdocvw.dll
+ 2006-10-29 05:08 . 2010-05-06 10:41 5950976 c:\windows\system32\mshtml.dll
+ 2009-03-08 10:32 . 2010-05-06 10:41 1985536 c:\windows\system32\iertutil.dll
+ 2009-02-07 03:07 . 2009-02-07 03:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2006-10-29 05:10 . 2010-05-06 10:41 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2006-10-29 05:09 . 2009-01-08 00:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-10-29 05:08 . 2010-05-06 10:41 5950976 c:\windows\system32\dllcache\mshtml.dll
+ 2006-10-29 05:06 . 2009-01-08 00:20 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2006-10-29 05:06 . 2009-01-08 00:20 1022976 c:\windows\system32\browseui.dll
+ 2011-04-15 00:51 . 2009-03-08 10:34 1206784 c:\windows\ie8updates\KB982381-IE8\urlmon.dll
+ 2011-04-15 00:51 . 2009-03-08 10:41 5937152 c:\windows\ie8updates\KB982381-IE8\mshtml.dll
+ 2011-04-15 00:51 . 2009-03-08 10:32 1985024 c:\windows\ie8updates\KB982381-IE8\iertutil.dll
+ 2011-04-15 00:47 . 2005-12-01 03:59 1492480 c:\windows\ie8\shdocvw.dll
+ 2011-04-15 00:47 . 2005-11-24 01:06 3015680 c:\windows\ie8\mshtml.dll
+ 2011-04-15 00:47 . 2005-11-24 01:06 1022464 c:\windows\ie8\browseui.dll
+ 2011-04-15 15:46 . 2011-04-15 15:46 1646592 c:\windows\ERDNT\AutoBackup\4-15-2011\Users\00000001\ntuser.dat
+ 2011-04-15 00:44 . 2011-03-03 01:56 37943240 c:\windows\system32\MRT.exe
+ 2009-03-08 10:39 . 2010-05-06 10:41 11076096 c:\windows\system32\ieframe.dll
+ 2011-04-15 00:51 . 2009-03-08 10:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-07-01 02:59 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-11-01 163840]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-10 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-19 21:06 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1270920978\EE\AOLHostManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-08-26 18:23 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 20:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1270920978\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
.
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 20:04
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-15 20:07:08
ComboFix-quarantined-files.txt 2011-04-16 02:07
ComboFix2.txt 2011-04-14 19:36
ComboFix3.txt 2011-04-14 18:08
.
Pre-Run: 39,783,120,896 bytes free
Post-Run: 39,807,684,608 bytes free
.
- - End Of File - - E4C049F622EC6360EEA1B534EFACAD7B
Upload was successful
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\patcher.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running?
Hi, here's the combofix log:
ComboFix 11-04-16.03 - Owner 04/17/2011 10:26:43.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.8 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
FILE ::
"c:\patcher.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\patcher.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 15:48 . 2011-04-17 15:48 -------- d-----w- c:\windows\ServicePackFiles
2011-04-17 15:44 . 2011-04-17 15:44 -------- d-----w- c:\program files\MSXML 4.0
2011-04-16 01:49 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-16 01:49 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-04-16 01:49 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-15 01:00 . 2011-04-15 01:00 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2011-04-15 00:58 . 2011-04-15 00:58 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2011-04-15 00:54 . 2011-04-15 00:54 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2011-04-15 00:54 . 2011-04-15 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-15 00:47 . 2011-04-15 00:50 -------- dc-h--w- c:\windows\ie8
2011-04-15 00:43 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-04-15 00:43 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-15 00:43 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-15 00:43 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-15 00:43 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-15 00:43 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-04-15 00:43 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 20:04 . 2011-04-14 20:04 -------- d-----w- c:\program files\ESET
2011-04-14 19:46 . 2011-04-14 19:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-14 19:46 . 2011-04-14 19:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 16:27 . 2011-04-14 16:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-03-26 04:05 . 2011-03-26 04:05 -------- d-----w- c:\program files\ERUNT
2011-03-19 07:20 . 2011-03-19 07:20 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot_2011-04-16_02.04.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 05:42 . 2009-06-29 05:42 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2011-04-16 01:55 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2006-10-29 05:06 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2006-10-29 05:06 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2011-04-17 15:45 . 2011-04-17 15:45 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2011-04-17 15:45 . 2011-04-17 15:45 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2010-04-10 17:57 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll
+ 2006-10-29 05:10 . 2009-04-10 07:01 413032 c:\windows\system32\wmspdmod.dll
+ 2006-10-29 05:10 . 2009-07-13 16:08 286720 c:\windows\system32\wmpdxm.dll
+ 2006-10-29 05:10 . 2007-10-27 23:40 227328 c:\windows\system32\wmasf.dll
+ 2006-10-29 05:10 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
- 2006-10-29 05:10 . 2009-03-08 10:33 420352 c:\windows\system32\vbscript.dll
+ 2006-10-29 05:10 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2006-10-29 05:09 . 2004-08-04 19:00 144896 c:\windows\system32\schannel.dll
+ 2006-10-29 05:09 . 2008-12-05 07:12 144896 c:\windows\system32\schannel.dll
+ 2006-10-29 05:09 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
+ 2006-10-29 05:09 . 2009-08-05 09:11 204800 c:\windows\system32\mswebdvd.dll
+ 2006-10-29 05:09 . 2009-06-05 07:42 655872 c:\windows\system32\mstscax.dll
- 2006-10-29 05:07 . 2009-03-08 10:33 726528 c:\windows\system32\jscript.dll
+ 2006-10-29 05:07 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2006-10-29 05:10 . 2009-12-31 16:14 352640 c:\windows\system32\drivers\srv.sys
+ 2006-10-29 05:09 . 2008-05-08 12:28 202752 c:\windows\system32\drivers\rmcast.sys
+ 2006-10-29 05:08 . 2010-02-24 12:31 454016 c:\windows\system32\drivers\mrxsmb.sys
+ 2006-10-29 05:06 . 2008-08-14 09:51 138368 c:\windows\system32\drivers\afd.sys
+ 2006-10-29 05:10 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2006-10-29 05:10 . 2009-04-10 07:01 413032 c:\windows\system32\dllcache\wmspdmod.dll
+ 2006-10-29 05:10 . 2009-07-13 16:08 286720 c:\windows\system32\dllcache\wmpdxm.dll
+ 2006-10-29 05:10 . 2007-10-27 23:40 227328 c:\windows\system32\dllcache\wmasf.dll
+ 2006-10-29 05:10 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2006-10-29 05:10 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2006-10-29 05:10 . 2009-03-08 10:33 420352 c:\windows\system32\dllcache\vbscript.dll
- 2006-10-29 05:10 . 2004-08-04 19:00 153088 c:\windows\system32\dllcache\triedit.dll
+ 2006-10-29 05:10 . 2009-06-21 22:04 153088 c:\windows\system32\dllcache\triedit.dll
+ 2006-10-29 05:10 . 2009-12-31 16:14 352640 c:\windows\system32\dllcache\srv.sys
+ 2006-10-29 05:09 . 2008-12-05 07:12 144896 c:\windows\system32\dllcache\schannel.dll
- 2006-10-29 05:09 . 2004-08-04 19:00 144896 c:\windows\system32\dllcache\schannel.dll
+ 2006-10-29 05:09 . 2008-05-08 12:28 202752 c:\windows\system32\dllcache\rmcast.sys
+ 2006-10-29 05:09 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
+ 2006-10-29 05:09 . 2009-08-05 09:11 204800 c:\windows\system32\dllcache\mswebdvd.dll
+ 2006-10-29 05:09 . 2009-06-05 07:42 655872 c:\windows\system32\dllcache\mstscax.dll
+ 2006-10-29 05:08 . 2008-05-01 14:30 331776 c:\windows\system32\dllcache\msadce.dll
- 2006-10-29 05:08 . 2004-08-04 19:00 331776 c:\windows\system32\dllcache\msadce.dll
+ 2006-10-29 05:07 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2006-10-29 05:07 . 2009-03-08 10:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2006-10-29 05:07 . 2010-06-14 14:30 743936 c:\windows\system32\dllcache\helpsvc.exe
- 2006-10-29 05:07 . 2004-08-04 19:00 743936 c:\windows\system32\dllcache\helpsvc.exe
+ 2006-10-29 05:06 . 2008-08-14 09:51 138368 c:\windows\system32\dllcache\afd.sys
+ 2006-10-29 05:07 . 2010-06-14 14:30 743936 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
- 2006-10-29 05:07 . 2004-08-04 19:00 743936 c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
+ 2011-04-17 15:45 . 2011-04-17 15:45 432640 c:\windows\Installer\60d30.msi
+ 2011-04-17 15:45 . 2011-04-17 15:45 429568 c:\windows\Installer\60d28.msi
+ 2011-04-17 15:49 . 2009-03-08 10:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2011-04-17 15:49 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2011-04-17 15:49 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2011-04-17 15:53 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2011-04-17 15:53 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2011-04-17 15:53 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2011-04-17 15:46 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2011-04-17 15:46 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2011-04-17 15:46 . 2009-03-08 10:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2011-04-17 15:38 . 2011-04-17 15:38 192512 c:\windows\ERDNT\AutoBackup\4-17-2011\Users\00000002\UsrClass.dat
+ 2011-04-17 15:38 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-17-2011\ERDNT.EXE
+ 2010-04-10 17:52 . 2010-02-24 12:31 454016 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-04-16 01:49 . 2008-06-13 13:10 272128 c:\windows\Driver Cache\i386\bthport.sys
+ 2009-07-21 06:03 . 2009-07-21 06:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-09-30 22:42 . 2008-09-30 22:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2006-10-29 05:10 . 2010-04-03 12:39 2377576 c:\windows\system32\WMVCore.dll
+ 2006-10-29 05:10 . 2009-07-13 16:08 5537792 c:\windows\system32\wmp.dll
+ 2009-07-21 06:05 . 2009-07-21 06:05 1348432 c:\windows\system32\msxml4.dll
+ 2006-10-29 05:09 . 2009-07-31 04:57 1172480 c:\windows\system32\msxml3.dll
+ 2006-10-29 05:10 . 2010-04-03 12:39 2377576 c:\windows\system32\dllcache\WMVCore.dll
+ 2006-10-29 05:10 . 2009-07-13 16:08 5537792 c:\windows\system32\dllcache\wmp.dll
+ 2006-10-29 05:09 . 2009-07-31 04:57 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2006-10-29 05:08 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
- 2006-10-29 05:08 . 2004-08-04 19:00 3555328 c:\windows\system32\dllcache\moviemk.exe
+ 2011-04-17 15:38 . 2011-04-17 15:38 1671168 c:\windows\ERDNT\AutoBackup\4-17-2011\Users\00000001\ntuser.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-07-01 02:59 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-01 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-11-01 163840]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-10 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-09-19 21:06 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1270920978\EE\AOLHostManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-08-26 18:23 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 20:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1270920978\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
2010-04-10 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-10-29 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-17 10:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-04-17 10:37:24
ComboFix-quarantined-files.txt 2011-04-17 16:37
ComboFix2.txt 2011-04-16 02:07
ComboFix3.txt 2011-04-14 19:36
ComboFix4.txt 2011-04-14 18:08
.
Pre-Run: 39,402,508,288 bytes free
Post-Run: 39,411,560,448 bytes free
.
- - End Of File - - 17E2CF85F39DF73D2E15EFFB40E1C198
I was going to say my system was running really slow, especially for start ups. But after I ran Combofix the last time, things sped up a lot more. No other issues what so ever :) :)
Good. Now it's time for the final steps to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates. Especially Internet Explorer 6 should be switched to Internet Explorer 8. About reasons why to move away from IE6 can be read here (http://ie6countdown.com/).
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.