Solved Have a lot of virus problems!

[tpw]

Hi i have been having alot problem with virus 2 weeks ago i got trojan and i think the file that was infected was rundll.32 it would it let me get internet so i had to take it to a shop to get fix. I get the computer back around week later i get a virus it was program called security scuite but i saw my anti virus pop asking me to allow deny i click deny before it pop up the virus in my system tray. It acted as like it was virus program and when would try go the internet would not allow me just their page pop up to program wanting me to buy it not run trial but i never install trial. Before all of this i was useing avira and comodo firewall i unistall comodo firewall after useing it for long to see if it was lagging my computer than 3 weeks later i got the 1st trojan. But back to my story after getting 2nd virus i went back to the shop and they fix it supposely but i notice few hrs later when got my computer back the samething happen this time had spybot runing and it ask i click deny but still got it. So i did not have internet and this time everything on desktop icon i click said infected so i went into safe mode scan with spybot found 3 thing remove it boot again. I notice i could click on icon find but no internet so i system restore fix. But i just want make sure everything is find with my computer so i did few scan i use Malwarebytes and found 6 things and i remove them but i got log sorry for typing so much it morning time and i am tired please help and thanks.

Also after getting computer back 1st time i have the free microsoft anti virus i kinda dont like it i know virus protection dont mean you cant get infection but i fiquire it might be something better out what do you all think is the best anti virus and firewall for me. I trying scaning with microsoft anti virus did not find nothing this time but i see what it found last when i was infected but i can get a log from the last scan any body know how so i can post that to thanks.

 

[tpw]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4450

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/19/2010 9:37:16 PM
mbam-log-2010-08-19 (21-37-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 186657
Time elapsed: 49 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Local Settings\temp\0.2627595211782293.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\Documents and Settings\User\Local Settings\temp\2.0519374765602525E7.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\tijuwtshc\ihqyqvushdw.exe.vir (Rogue.SecuritySuite) -> No action taken.
C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002080.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002081.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\WINDOWS\system32\oobe\AntiWPA_Crypt.dll (Hacktool) -> No action taken.

 

[tpw]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-20 02:21:55
Windows 5.1.2600 Service Pack 3
Running: n8nuzrsb.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pgldapoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF529B620]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF753B360, 0x37388D, 0xE8000020]
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF7420510]
.text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xBA2F8000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xBA31B050]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x2C 0xC3 0xFA 0x9D ...
Reg HKLM\SOFTWARE\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}@Model 231
Reg HKLM\SOFTWARE\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}@Therad 17

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- EOF - GMER 1.0.15 ----

 

[tpw]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/3/2010 5:03:26 PM
System Uptime: 8/20/2010 2:22:43 AM (0 hours ago)

Motherboard: | | P4M800CE-8237
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Socket 775 | 3060/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 11.568 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 8/18/2010 6:24:56 PM - System Checkpoint
RP2: 8/19/2010 2:40:20 PM - Software Distribution Service 3.0
RP3: 8/19/2010 7:38:54 PM - still mess up
RP4: 8/19/2010 7:39:26 PM - Restore Operation
RP5: 8/19/2010 7:46:06 PM - working again
RP6: 8/19/2010 7:54:45 PM - Software Distribution Service 3.0
RP7: 8/20/2010 12:04:50 AM - Installed Java(TM) 6 Update 21

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Adobe Shockwave Player 11.5
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
CyberLink PowerDVD 9
Download Updater (AOL LLC)
FrostWire 4.20.7
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Internet Download Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Lite 8.3.2.1
neroxml
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenOffice.org 3.0
Opera 10.60
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
SUPERAntiSpyware
TeamViewer 5
The KMPlayer (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WeatherBug
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

8/19/2010 9:41:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
8/19/2010 9:41:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/19/2010 12:43:43 PM, error: Dhcp [1002] - The IP address lease 10.10.1.129 for the Network Card with network address 00E04D3C36B0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
8/18/2010 6:24:51 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
8/18/2010 6:09:53 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
8/18/2010 6:02:10 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
8/18/2010 6:02:09 PM, error: SRService [104] - The System Restore initialization process failed.
8/16/2010 1:33:18 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00E04D3C36B0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/15/2010 5:05:25 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/15/2010 4:26:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
8/15/2010 2:29:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
8/15/2010 2:21:01 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
8/15/2010 2:08:16 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
8/15/2010 12:13:09 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1874.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
8/15/2010 12:13:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/15/2010 12:03:12 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 12:03:12 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 12:03:11 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

 

[tpw]

DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 2:28:17.78 on Fri 08/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.62 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\User\My Documents\Downloads\Programs\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\w0iucppe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=14196&l=dis
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&q=
FF - component: c:\documents and settings\user\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/04/03 17:07:28];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-8-6 24652]

=============== Created Last 30 ================

2010-08-20 04:06:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-20 00:44:43 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-08-20 00:44:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-20 00:44:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-20 00:44:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-20 00:44:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 00:38:11 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-08-20 00:38:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-20 00:37:45 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-19 23:40:21 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-19 14:05:08 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-19 14:05:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-18 22:13:04 0 d-sha-r- C:\cmdcons
2010-08-18 22:02:10 98816 ----a-w- c:\windows\sed.exe
2010-08-18 22:02:10 77312 ----a-w- c:\windows\MBR.exe
2010-08-18 22:02:10 256512 ----a-w- c:\windows\PEV.exe
2010-08-18 22:02:10 161792 ----a-w- c:\windows\SWREG.exe
2010-08-16 17:31:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-08-16 17:31:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-08-15 18:31:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-13 21:44:16 0 d-----w- c:\windows\system32\Adobe
2010-08-09 23:56:44 0 d-----w- c:\docume~1\user\applic~1\WeatherBug
2010-08-09 23:56:06 0 d-----w- c:\program files\AWS
2010-08-08 17:06:01 0 d-----w- c:\windows\pss
2010-08-08 07:02:32 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-08-08 07:02:27 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-08-08 07:02:16 0 d-----w- c:\windows\Logs
2010-08-08 07:02:07 0 d-----w- c:\program files\Winamp Detect
2010-08-07 18:42:51 0 d-----w- c:\windows\system32\appmgmt
2010-08-06 22:50:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
2010-08-06 22:49:59 0 d-----w- c:\program files\Viewpoint
2010-08-06 22:34:06 0 d-----w- c:\program files\AIM6
2010-08-06 06:47:50 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-08-06 06:42:07 0 d-----w- c:\program files\common files\Software Update Utility
2010-08-06 06:39:03 0 d-----w- c:\program files\common files\AOL
2010-08-06 06:36:26 1512 ---ha-w- C:\IPH.PH
2010-08-05 17:54:22 0 d-----w- c:\docume~1\user\applic~1\FrostWire
2010-08-05 17:52:09 0 d-----w- c:\program files\Ask.com
2010-08-05 17:51:49 0 d-----w- c:\program files\FrostWire
2010-08-05 01:14:09 69 ----a-w- c:\windows\NeroDigital.ini
2010-08-04 23:54:39 0 d-----w- c:\windows\SxsCaPendDel
2010-08-04 23:53:17 0 d-----w- c:\program files\Yahoo!
2010-08-04 23:34:32 0 d-----w- c:\program files\common files\Canon
2010-08-04 23:28:13 0 d-----w- c:\docume~1\user\applic~1\IDM
2010-08-04 23:28:13 0 d-----w- c:\docume~1\user\applic~1\DMCache
2010-08-04 23:27:07 0 d-----w- c:\program files\Internet Download Manager
2010-08-04 22:33:59 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-04 22:33:59 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-04 13:29:05 0 d-----w- C:\old data
2010-08-03 21:49:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-03 21:48:08 186097 ----a-w- c:\windows\system32\nvapps.xml
2010-08-03 21:48:05 446464 ----a-w- c:\windows\system32\nvudisp.exe
2010-08-03 21:48:05 18070 ----a-w- c:\windows\system32\nvdisp.nvu
2010-08-03 21:48:05 0 d-----w- c:\windows\nview
2010-08-03 21:47:53 0 d-----w- c:\windows\system32\ReinstallBackups
2010-08-03 21:46:50 0 d-----w- c:\program files\Realtek Sound Manager
2010-08-03 21:46:49 0 d-----w- c:\program files\AvRack
2010-08-03 21:35:08 0 d-----w- C:\Drivers
2010-08-03 21:16:02 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-08-03 21:02:12 6557408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-08-03 21:02:12 6557408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-08-03 21:02:12 6108928 ----a-w- c:\windows\system32\nv4_disp.dll
2010-08-03 21:02:00 44672 ----a-w- c:\windows\system32\drivers\UAGP35.SYS
2010-08-03 21:01:49 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-08-03 21:01:48 7168 ----a-w- c:\windows\system32\hccoin.dll
2010-08-03 21:01:32 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-02 20:51:47 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-04-03 21:43:35 540672 --sha-w- c:\windows\system32\config\systemprofile\iecompatcache\index.dat
2010-04-03 19:43:52 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-04-17 20:04:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2010-03-29 23:06:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2010-03-29 23:06:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010032920100330\index.dat
2010-04-03 21:43:35 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 2:29:13.39 ===============

 

[Bobbye]

Welcome to TechSpot. I am reviewing your problems and checking the logs now.

When you ran Malwarebytes, you did not check the line for it to remove the entries it found. So all of the malware shows No action taken.. Please update Mbam and run the scan again, paying particular attention to the line Be sure that everything is checked, and click Remove Selected. Post the new log.

After you rescan with Malwarebytes, Please run the following scans:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================================
Follow that with
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please paste this on your post. If it is too large for one post, split it.

I am setting up some script to remove bad entries using Combofix.

Please don't run any other scans. Do not use the file sharing programs while we are cleaning.

 

[tpw]

Bobby the stuff it found is in quarantine can i just remove it from their and go to step with virus scan from nod32.

 

[tpw]

Nothing was found but from scan before the stuff it found was put in quarantine i going to remove them and move to the next 2 step.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4453

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2010 1:53:20 PM
mbam-log-2010-08-20 (13-53-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 186765
Time elapsed: 53 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

8/19/2010 9:37:16 PM
mbam-log-2010-08-19 (21-37-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 186657
Time elapsed: 49 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
The entries in System Volume means the malware is in the the restore points, not active in the system. I have you remove the old restore points when we have finished.

The entry in the Qoobox indicates you previously ran Combofix and a file was quarantined- Qoobox is where those files are sent. It also indicates that Combofix wasn't uninstalled when you were finished, as the logs in it are also removed.

The remaining 3 entries showed active malware in the system, showing at that time> No Action Taken.Files The 2 files that are 'temp' could have been removed when you ran TFC.
C:\Documents and Settings\User\Local Settings\temp\0.2627595211782293.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\Documents and Settings\User\Local Settings\temp\2.0519374765602525E7.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\tijuwtshc\ihqyqvushdw.exe.vir (Rogue.SecuritySuite) -> No action taken.
C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002080.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\System Volume Information\_restore{A524198C-6043-4347-8DCC-31FB4EBB5391}\RP4\A0002081.exe (Trojan.FakeAlert.Gen) -> No action taken.
C:\WINDOWS\system32\oobe\AntiWPA_Crypt.dll (Hacktool) -> No action taken.
========================================
8/20/2010 1:53:20 PM
mbam-log-2010-08-20 (13-53-20).txt
Scan type: Full scan (C:\|)
Objects scanned: 186765
Time elapsed: 53 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

These logs don't make much sense. Malware doesn't just disappear! If you had run Mbam again, it would show the entries as 'Quarantined' unless either the shop trips or help elsewhere removed them.

When did you run Combofix?
What was done between the 2 Mbm scans?

 

[tpw]

Here combofix log

 

[tpw]

bobbie i went into malewarebytes and went into quarantines folder and delet them. i posted combofix log above.

 

[tpw]

Here nod32 log

 

[Bobbye]

The Eset log show you have pirated software:

C:\Documents and Settings\User\My Documents\stuff\TuneUp.Utilities.2009.v8.0.3100.Incl.Keygen-RAiD.DM999\RAiD_KeyGen\RAID-TUU2009KG.exe probably a variant of Win32/Agent.CLQINBT trojan 00000000000000000000000000000000

You pirated a security program??? And you got malware from it! I think that might be considered justice. In order to continue support, you will have to remove the pirated program.

 

[tpw]

How dont use that program no more how do i remove that file.

 

[tpw]

I remove the stuff from malewarebytes earlier today and the file that nod32 found that it is their anything alse i need to do is their better virus protection and firewall than microsoft security scuit and spybot thanks.

 

[tpw]

For a computer window xp with 512 gb of ram i looking kasperky internet security suite i think it says 2 gb of ram on one site that rate different program. I notice comodo security suite is like 125 but dont know how good it is if their another you rec let me know.

 

[Bobbye]

Removing a program:

1. Control Panel> Add/Remove Programs
2. Find TuneUp.Utilities.2009> Highlight> Uninstall .
3. Open Windows Explorer( Windows Key+E>)
4. Click on My Computer> Double click on Local Drive (usually C)> Programs
5. Scroll down to Tune Ip Utilites and do a right click> Delete on the program folder.
6. Close Windows Explorer
7. Search your computer for Tune Up Utilities and delete any left over files you find.[/b]

=====================================
Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
C:\Documents and Settings\User\My Documents\stuff\TuneUp.Utilities.2009.v8.0.3100.Incl.Keygen-RAiD.DM999\RAiD_KeyGen\RAID-TUU2009KG.exe 
c:\documents and settings\User\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Ask.com\UpdateTask.exe
Folder::
c:\documents and settings\User\Local Settings\Application Data\WeatherBug
c:\documents and settings\User\Application Data\WeatherBug
c:\documents and settings\User\Local Settings\Application Data\AskToolbar
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Ask.com
c:\program files\Viewpoint
C:\old data		
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=- 
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

RegLock:
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Driver::
Viewpoint Manager Service
Extra::
File::
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
Firefox::
Firefox-: Profile- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\w0iucppe.default\
Firefox-: prefs.js- Startup.Homerpage

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into your next reply.
====================

 

[tpw]

Where i get combofix link not working.

 

[tpw]

Here is the combofix I think I did it right.

 

[Bobbye]

No, you just gave me the same Combofix logs as the first one. You're not looking for a link- you already have Combofix installed, you have already run a scan.

Please go back to my Reply #17 and follow the directions beginning with:
Please run this Custom CFScript which you will run through the Combofix program already on your system.

It will produce a new log which you should paste in your next reply. There is no new link- just follow the steps.

 

[tpw]

Here the combofix log

 

[Bobbye]

Did you copy everything in the Code box?

How is the system running now. We're not through yet, but there should be some improvement.

Have you intentionally set the Homepage in Firefox to be ask.com?

 

[tpw]

Computer seem to be runing find it some other problem i want answer to but nothing to do with viruses. On firefox not sure if i set ask.com as homepage but firefox runing find.

 

[Bobbye]

If you're not sure whether you set ask.com as the homepage, then you didn't. I had that in the script to change it back to default. But the change wasn't made which was why I asked if you copied all the code. Please be sure you copy everything in the code box:

Please run this: Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
DDS::
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
Folder::
Extra::
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
Firefox::
Firefox-: Profile- c:\docume~1\user\applic~1\mozilla\firefox\profiles\w0iucppe.default\
Firefox-: prefs.js - Startup.Homepage
Firefox-: prefs.js - Search.DefaultURL
Firefox-: prefs.js - keyword.URL

RegLock:
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b998f049-44ac-4e02-be1d-5a79ca902455}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Follow with download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Both logs should be pasted in next reply please.

P2P/File Sharing Warning:

Continued use of LimeWire and Frostwire which are both File Sharing programs, will probably lead to continued malware. I am recommending that you uninstall both LimeWire and Frostwirefor the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[tpw]

Here the combofix log again I think I keeping ask.com because spybot came up twice the 1st time I not sure if I wanted change home page for ie or fire and I think might have click than when I restarted it ask me again if I wanted change homepage on ie and I click allow if you want me to do it again I will no problem.

Hijack log here

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:45:17 PM, on 8/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /I:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /I:U shell32 (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5891 bytes