no
I saved them while I was still in Safe Mode.
When I turn on my computer in safe mode I can see them on the desktop.
Not on normal boot though.
I search for them in Search function; they show up as being in C administrator desktop, but when I go there they are not there, and they are not showing up on my actual desktop.
also
when I shut my computer down to check to see if they were on my desktop in safe mode, Windows automatically updated itself. Is that normal?
Can you open them and see what's there, if anything, then jot it down and post back here.Originally Posted by Red_Earth
In Safe Mode? No, unless you ran Safe Mode with networking there would be no way to download the updates.
first run / light scan
Autoscan: completed 11 minutes ago (events: 18, objects: 506489, time: 03:15:07)
3/3/2010 3:03:15 PM Task started
3/3/2010 3:10:19 PM Detected: not-a-virus:AdWare.Win32.PurityScan.ak C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C92449.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact
3/3/2010 3:10:19 PM Untreated: not-a-virus:AdWare.Win32.PurityScan.ak C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C92449.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact Postponed
3/3/2010 3:46:38 PM Detected: Trojan.VBS.Small.bj C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir
3/3/2010 3:46:38 PM Untreated: Trojan.VBS.Small.bj C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir Postponed
3/3/2010 3:50:31 PM Detected: not-a-virus:AdWare.Win32.PurityScan.ak C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005156.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact
3/3/2010 3:50:31 PM Untreated: not-a-virus:AdWare.Win32.PurityScan.ak C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005156.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact Postponed
3/3/2010 3:51:16 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0003422.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 3:51:16 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0003422.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 4:37:17 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 4:37:17 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 4:37:17 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 4:37:17 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:16:58 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005158.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 6:16:58 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005158.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:16:58 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005157.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 6:16:59 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005157.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:18:22 PM Task completed
2nd run / deep scan
Autoscan: completed 17 hours ago (events: 18, objects: 506489, time: 03:15:07)
Autoscan: completed 13 hours ago (events: 2, objects: 504374, time: 03:25:06)
3/3/2010 6:33:08 PM Task started
3/3/2010 9:58:14 PM Task completed
The first scan I paid close attention and clicked delete and quarantine as needed.
The second scan I left alone, and returned to a completed scan.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:15 PM, on 3/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7319 bytes
Okay looks pretty good. We should do some cleanup.
Uninstall Combofix
- Click START then RUN
- Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
- Delete the following: ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Reset System Restore.
You can also delete DDS and GMER.
Download Security Check by screen317 from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me know how it's running too please.
ok
will do
wait
when I try to launch combofix it asks me to disable avast and I dont know how
