TechSpot

Have a lot of virus problems!

By tpw
Aug 20, 2010
  1. Hi i have been having alot problem with virus 2 weeks ago i got trojan and i think the file that was infected was rundll.32 it would it let me get internet so i had to take it to a shop to get fix. I get the computer back around week later i get a virus it was program called security scuite but i saw my anti virus pop asking me to allow deny i click deny before it pop up the virus in my system tray. It acted as like it was virus program and when would try go the internet would not allow me just their page pop up to program wanting me to buy it not run trial but i never install trial. Before all of this i was useing avira and comodo firewall i unistall comodo firewall after useing it for long to see if it was lagging my computer than 3 weeks later i got the 1st trojan. But back to my story after getting 2nd virus i went back to the shop and they fix it supposely but i notice few hrs later when got my computer back the samething happen this time had spybot runing and it ask i click deny but still got it. So i did not have internet and this time everything on desktop icon i click said infected so i went into safe mode scan with spybot found 3 thing remove it boot again. I notice i could click on icon find but no internet so i system restore fix. But i just want make sure everything is find with my computer so i did few scan i use Malwarebytes and found 6 things and i remove them but i got log sorry for typing so much it morning time and i am tired please help and thanks.

    Also after getting computer back 1st time i have the free microsoft anti virus i kinda dont like it i know virus protection dont mean you cant get infection but i fiquire it might be something better out what do you all think is the best anti virus and firewall for me. I trying scaning with microsoft anti virus did not find nothing this time but i see what it found last when i was infected but i can get a log from the last scan any body know how so i can post that to thanks.
     
  2. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4450

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/19/2010 9:37:16 PM
    mbam-log-2010-08-19 (21-37-16).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 186657
    Time elapsed: 49 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\User\Local Settings\temp\0.2627595211782293.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\Documents and Settings\User\Local Settings\temp\2.0519374765602525E7.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\tijuwtshc\ihqyqvushdw.exe.vir (Rogue.SecuritySuite) -> No action taken.
    C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002080.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002081.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\WINDOWS\system32\oobe\AntiWPA_Crypt.dll (Hacktool) -> No action taken.
     
  3. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-20 02:21:55
    Windows 5.1.2600 Service Pack 3
    Running: n8nuzrsb.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pgldapoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF529B620]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF753B360, 0x37388D, 0xE8000020]
    init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF7420510]
    .text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xBA2F8000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xBA31B050]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x2C 0xC3 0xFA 0x9D ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}@Model 231
    Reg HKLM\SOFTWARE\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}@Therad 17

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

    ---- EOF - GMER 1.0.15 ----
     
  4. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/3/2010 5:03:26 PM
    System Uptime: 8/20/2010 2:22:43 AM (0 hours ago)

    Motherboard: | | P4M800CE-8237
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Socket 775 | 3060/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 11.568 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 8/18/2010 6:24:56 PM - System Checkpoint
    RP2: 8/19/2010 2:40:20 PM - Software Distribution Service 3.0
    RP3: 8/19/2010 7:38:54 PM - still mess up
    RP4: 8/19/2010 7:39:26 PM - Restore Operation
    RP5: 8/19/2010 7:46:06 PM - working again
    RP6: 8/19/2010 7:54:45 PM - Software Distribution Service 3.0
    RP7: 8/20/2010 12:04:50 AM - Installed Java(TM) 6 Update 21

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.3
    Adobe Shockwave Player 11.5
    AIM 6
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Bonjour
    CCleaner
    Compatibility Pack for the 2007 Office system
    CyberLink PowerDVD 9
    Download Updater (AOL LLC)
    FrostWire 4.20.7
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Internet Download Manager
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Java(TM) 6 Update 7
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Security Essentials
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Mozilla Firefox (3.6.8)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 8 Lite 8.3.2.1
    neroxml
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    OpenOffice.org 3.0
    Opera 10.60
    QuickTime
    Realtek AC'97 Audio
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Spybot - Search & Destroy
    SUPERAntiSpyware
    TeamViewer 5
    The KMPlayer (remove only)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    WeatherBug
    WebFldrs XP
    Winamp
    Winamp Detector Plug-in
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    WinRAR archiver
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    8/19/2010 9:41:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
    8/19/2010 9:41:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    8/19/2010 12:43:43 PM, error: Dhcp [1002] - The IP address lease 10.10.1.129 for the Network Card with network address 00E04D3C36B0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    8/18/2010 6:24:51 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
    8/18/2010 6:09:53 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    8/18/2010 6:02:10 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    8/18/2010 6:02:09 PM, error: SRService [104] - The System Restore initialization process failed.
    8/16/2010 1:33:18 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00E04D3C36B0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    8/15/2010 5:05:25 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/15/2010 4:26:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
    8/15/2010 2:29:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
    8/15/2010 2:21:01 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    8/15/2010 2:08:16 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    8/15/2010 12:13:09 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    8/15/2010 12:13:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    8/15/2010 12:03:12 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/15/2010 12:03:11 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    ==== End Of File ===========================
     
  5. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by User at 2:28:17.78 on Fri 08/20/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.62 [GMT -4:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\Internet Download Manager\IEMonitor.exe
    C:\Documents and Settings\User\My Documents\Downloads\Programs\dds.EXE

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.ask.com?o=14196&l=dis
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
    IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\w0iucppe.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=14196&l=dis
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&q=
    FF - component: c:\documents and settings\user\application data\idm\idmmzcc3\components\idmmzcc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/04/03 17:07:28];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-8-6 24652]

    =============== Created Last 30 ================

    2010-08-20 04:06:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-20 00:44:43 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2010-08-20 00:44:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-20 00:44:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-08-20 00:44:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-20 00:44:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-20 00:38:11 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
    2010-08-20 00:38:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-08-20 00:37:45 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-08-19 23:40:21 0 d-----w- c:\windows\system32\wbem\Repository
    2010-08-19 14:05:08 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-19 14:05:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-08-18 22:13:04 0 d-sha-r- C:\cmdcons
    2010-08-18 22:02:10 98816 ----a-w- c:\windows\sed.exe
    2010-08-18 22:02:10 77312 ----a-w- c:\windows\MBR.exe
    2010-08-18 22:02:10 256512 ----a-w- c:\windows\PEV.exe
    2010-08-18 22:02:10 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-16 17:31:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
    2010-08-16 17:31:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2010-08-15 18:31:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-13 21:44:16 0 d-----w- c:\windows\system32\Adobe
    2010-08-09 23:56:44 0 d-----w- c:\docume~1\user\applic~1\WeatherBug
    2010-08-09 23:56:06 0 d-----w- c:\program files\AWS
    2010-08-08 17:06:01 0 d-----w- c:\windows\pss
    2010-08-08 07:02:32 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
    2010-08-08 07:02:27 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
    2010-08-08 07:02:16 0 d-----w- c:\windows\Logs
    2010-08-08 07:02:07 0 d-----w- c:\program files\Winamp Detect
    2010-08-07 18:42:51 0 d-----w- c:\windows\system32\appmgmt
    2010-08-06 22:50:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
    2010-08-06 22:49:59 0 d-----w- c:\program files\Viewpoint
    2010-08-06 22:34:06 0 d-----w- c:\program files\AIM6
    2010-08-06 06:47:50 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
    2010-08-06 06:42:07 0 d-----w- c:\program files\common files\Software Update Utility
    2010-08-06 06:39:03 0 d-----w- c:\program files\common files\AOL
    2010-08-06 06:36:26 1512 ---ha-w- C:\IPH.PH
    2010-08-05 17:54:22 0 d-----w- c:\docume~1\user\applic~1\FrostWire
    2010-08-05 17:52:09 0 d-----w- c:\program files\Ask.com
    2010-08-05 17:51:49 0 d-----w- c:\program files\FrostWire
    2010-08-05 01:14:09 69 ----a-w- c:\windows\NeroDigital.ini
    2010-08-04 23:54:39 0 d-----w- c:\windows\SxsCaPendDel
    2010-08-04 23:53:17 0 d-----w- c:\program files\Yahoo!
    2010-08-04 23:34:32 0 d-----w- c:\program files\common files\Canon
    2010-08-04 23:28:13 0 d-----w- c:\docume~1\user\applic~1\IDM
    2010-08-04 23:28:13 0 d-----w- c:\docume~1\user\applic~1\DMCache
    2010-08-04 23:27:07 0 d-----w- c:\program files\Internet Download Manager
    2010-08-04 22:33:59 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-08-04 22:33:59 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-08-04 13:29:05 0 d-----w- C:\old data
    2010-08-03 21:49:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-03 21:48:08 186097 ----a-w- c:\windows\system32\nvapps.xml
    2010-08-03 21:48:05 446464 ----a-w- c:\windows\system32\nvudisp.exe
    2010-08-03 21:48:05 18070 ----a-w- c:\windows\system32\nvdisp.nvu
    2010-08-03 21:48:05 0 d-----w- c:\windows\nview
    2010-08-03 21:47:53 0 d-----w- c:\windows\system32\ReinstallBackups
    2010-08-03 21:46:50 0 d-----w- c:\program files\Realtek Sound Manager
    2010-08-03 21:46:49 0 d-----w- c:\program files\AvRack
    2010-08-03 21:35:08 0 d-----w- C:\Drivers
    2010-08-03 21:16:02 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-08-03 21:02:12 6557408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
    2010-08-03 21:02:12 6557408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2010-08-03 21:02:12 6108928 ----a-w- c:\windows\system32\nv4_disp.dll
    2010-08-03 21:02:00 44672 ----a-w- c:\windows\system32\drivers\UAGP35.SYS
    2010-08-03 21:01:49 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2010-08-03 21:01:48 7168 ----a-w- c:\windows\system32\hccoin.dll
    2010-08-03 21:01:32 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys

    ==================== Find3M ====================

    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-02 20:51:47 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
    2010-04-03 21:43:35 540672 --sha-w- c:\windows\system32\config\systemprofile\iecompatcache\index.dat
    2010-04-03 19:43:52 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2010-04-17 20:04:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2010-03-29 23:06:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
    2010-03-29 23:06:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010032920100330\index.dat
    2010-04-03 21:43:35 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

    ============= FINISH: 2:29:13.39 ===============
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I am reviewing your problems and checking the logs now.

    When you ran Malwarebytes, you did not check the line for it to remove the entries it found. So all of the malware shows No action taken.. Please update Mbam and run the scan again, paying particular attention to the line Be sure that everything is checked, and click Remove Selected. Post the new log.

    After you rescan with Malwarebytes, Please run the following scans:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==========================================
    Follow that with
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please paste this on your post. If it is too large for one post, split it.

    I am setting up some script to remove bad entries using Combofix.

    Please don't run any other scans. Do not use the file sharing programs while we are cleaning.
     
  7. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Bobby the stuff it found is in quarantine can i just remove it from their and go to step with virus scan from nod32.
     
  8. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Nothing was found but from scan before the stuff it found was put in quarantine i going to remove them and move to the next 2 step.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4453

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/20/2010 1:53:20 PM
    mbam-log-2010-08-20 (13-53-20).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 186765
    Time elapsed: 53 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    8/19/2010 9:37:16 PM
    mbam-log-2010-08-19 (21-37-16).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 186657
    Time elapsed: 49 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 6
    The entries in System Volume means the malware is in the the restore points, not active in the system. I have you remove the old restore points when we have finished.

    The entry in the Qoobox indicates you previously ran Combofix and a file was quarantined- Qoobox is where those files are sent. It also indicates that Combofix wasn't uninstalled when you were finished, as the logs in it are also removed.

    The remaining 3 entries showed active malware in the system, showing at that time> No Action Taken.Files The 2 files that are 'temp' could have been removed when you ran TFC.
    C:\Documents and Settings\User\Local Settings\temp\0.2627595211782293.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\Documents and Settings\User\Local Settings\temp\2.0519374765602525E7.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\tijuwtshc\ihqyqvushdw.exe.vir (Rogue.SecuritySuite) -> No action taken.
    C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002080.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002081.exe (Trojan.FakeAlert.Gen) -> No action taken.
    C:\WINDOWS\system32\oobe\AntiWPA_Crypt.dll (Hacktool) -> No action taken.
    ========================================
    8/20/2010 1:53:20 PM
    mbam-log-2010-08-20 (13-53-20).txt
    Scan type: Full scan (C:\|)
    Objects scanned: 186765
    Time elapsed: 53 minute(s), 40 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    These logs don't make much sense. Malware doesn't just disappear! If you had run Mbam again, it would show the entries as 'Quarantined' unless either the shop trips or help elsewhere removed them.

    When did you run Combofix?
    What was done between the 2 Mbm scans?
     
  10. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Here combofix log
     

    Attached Files:

  11. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    bobbie i went into malewarebytes and went into quarantines folder and delet them. i posted combofix log above.
     
  12. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Here nod32 log
     

    Attached Files:

    • log1.txt
      File size:
      960 bytes
      Views:
      1
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Eset log show you have pirated software:

    C:\Documents and Settings\User\My Documents\stuff\TuneUp.Utilities.2009.v8.0.3100.Incl.Keygen-RAiD.DM999\RAiD_KeyGen\RAID-TUU2009KG.exe probably a variant of Win32/Agent.CLQINBT trojan 00000000000000000000000000000000

    You pirated a security program??? And you got malware from it! I think that might be considered justice. In order to continue support, you will have to remove the pirated program.
     
  14. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    How dont use that program no more how do i remove that file.
     
  15. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    I remove the stuff from malewarebytes earlier today and the file that nod32 found that it is their anything alse i need to do is their better virus protection and firewall than microsoft security scuit and spybot thanks.
     
  16. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    For a computer window xp with 512 gb of ram i looking kasperky internet security suite i think it says 2 gb of ram on one site that rate different program. I notice comodo security suite is like 125 but dont know how good it is if their another you rec let me know.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Removing a program:
    1. Control Panel> Add/Remove Programs
    2. Find TuneUp.Utilities.2009> Highlight> Uninstall .
    3. Open Windows Explorer( Windows Key+E>)
    4. Click on My Computer> Double click on Local Drive (usually C)> Programs
    5. Scroll down to Tune Ip Utilites and do a right click> Delete on the program folder.
    6. Close Windows Explorer
    7. Search your computer for Tune Up Utilities and delete any left over files you find.[/b]
    =====================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    C:\Documents and Settings\User\My Documents\stuff\TuneUp.Utilities.2009.v8.0.3100.Incl.Keygen-RAiD.DM999\RAiD_KeyGen\RAID-TUU2009KG.exe 
    c:\documents and settings\User\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
    c:\program files\Viewpoint\Common\ViewpointService.exe
    c:\program files\Ask.com\UpdateTask.exe
    Folder::
    c:\documents and settings\User\Local Settings\Application Data\WeatherBug
    c:\documents and settings\User\Application Data\WeatherBug
    c:\documents and settings\User\Local Settings\Application Data\AskToolbar
    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\program files\Ask.com
    c:\program files\Viewpoint
    C:\old data		
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"=- 
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    
    RegLock:
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Driver::
    Viewpoint Manager Service
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    Firefox::
    Firefox-: Profile- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\w0iucppe.default\
    Firefox-: prefs.js- Startup.Homerpage 
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into your next reply.
    ====================
     
  18. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Where i get combofix link not working.
     
  19. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Here is the combofix i think i did it right.
     

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, you just gave me the same Combofix logs as the first one. You're not looking for a link- you already have Combofix installed, you have already run a scan.

    Please go back to my Reply #17 and follow the directions beginning with:
    Please run this Custom CFScript which you will run through the Combofix program already on your system.

    It will produce a new log which you should paste in your next reply. There is no new link- just follow the steps.
     
  21. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    here the combofix log
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you copy everything in the Code box?

    How is the system running now. We're not through yet, but there should be some improvement.

    Have you intentionally set the Homepage in Firefox to be ask.com?
     
  23. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Computer seem to be runing find it some other problem i want answer to but nothing to do with viruses. On firefox not sure if i set ask.com as homepage but firefox runing find.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you're not sure whether you set ask.com as the homepage, then you didn't. I had that in the script to change it back to default. But the change wasn't made which was why I asked if you copied all the code. Please be sure you copy everything in the code box:

    Please run this: Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    DDS::
    uStart Page = hxxp://www.ask.com?o=14196&l=dis
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    Folder::
    Extra::
    File::
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    Firefox::
    Firefox-: Profile- c:\docume~1\user\applic~1\mozilla\firefox\profiles\w0iucppe.default\
    Firefox-: prefs.js - Startup.Homepage
    Firefox-: prefs.js - Search.DefaultURL
    Firefox-: prefs.js - keyword.URL
    
    RegLock:
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Follow with download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Both logs should be pasted in next reply please.

    P2P/File Sharing Warning:

    Continued use of LimeWire and Frostwire which are both File Sharing programs, will probably lead to continued malware. I am recommending that you uninstall both LimeWire and Frostwirefor the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
  25. tpw

    tpw TS Enthusiast Topic Starter Posts: 107

    Here the combofix log again i think i keeping ask.com because spybot came up twice the 1st time i not sure if i wanted change home page for ie or fire and i think might have click than when i restarted it ask me again if i wanted change homepage on ie and i click allow if you want me to do it again i will no problem.

    Hijack log here

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:45:17 PM, on 8/23/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Opera\opera.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 5891 bytes
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...