TechSpot

Problem after running TFC step

Solved
By aegisrose
Jun 3, 2010
Topic Status:
Not open for further replies.
  1. Hello TechSpot friends!
    I have a misbehaving HP laptop here... My friend states that after what looked like a legit windows "update protection center" click, suddenly new icons appeared on her desktop, including pornotube, youporn, and other such delightful icons.

    I ran an Avira scan, and then ran the TFC step... now, anytime I try to open anything, the "Open With" window pops up asking me to choose a program to open the file. I thought it was just iexplore at first, but I tried the safe icons on the deskstop (skype, avira control center and HP support center) and they all either ask for me to choose a program, or say "application not found".

    I tried going through "start > all programs" but get the same result.

    Any suggestions? :confused:

    THANKS!
    ~AegisRose
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Try doing a System Restore to before you ran TFC.

    Then If you want us to check for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply.

    There is not enough information to do anything else.

    Please don't use any other cleaning programs or scans while I'm helping you unless I direct you to. do not use a Registry cleaner or make any Registry changes.
  3. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    Thanks for the response Bobbye... I can do it when I get home from work.

    Would you happen to have some instructions for system restore steps with Windows 7? I'm still learning my way around this OS.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm on a new Dell mini learning my way around Windows 7:

    Control Panel> Action Center> Recovery> Open System Restore.

    You may have to set the backup feature. It doesn't look like the system creates restore points by defaulkt every 24 hours like Win XP- or I haven't found it yet.
  5. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    Hello Bobbye~
    I did the system restore... I was able to update Avira, run that scan, then subsequently, I ran TFC without any problems. I've also made sure the windows updates were up-tp-date, and java as well (i also deleted some older javas).
    I downloaded GMER to the desktop, and when I attempted to run it, it immediatly crashes. I made sure all apps were closed and I was not connect to any network. I just attempted in Safe Mode, and it does the same thing. I did deleted, then re-download it, but same result.

    Can you assist? :)
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can try not checking Devices when you run GMER. If it's still a problem, please go on with the rest of the steps and leave the logs.
  7. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    Thank you Bobbye... since GMER doesn't open even to the point where I can check/uncheck devices, I've proceded with the rest of the steps.

    Malwarebytes log
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4168

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/3/2010 10:06:54 PM
    mbam-log-2010-06-03 (22-06-54).txt

    Scan type: Quick scan
    Objects scanned: 121056
    Time elapsed: 2 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rthdbpl (Trojan.Agent) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Users\Sandi\AppData\Roaming\SystemProc (Trojan.Agent) -> No action taken.

    Files Infected:
    C:\Users\Sandi\Desktop\pornotube.com.lnk (Rogue.Link) -> No action taken.


    DDS log:

    DDS (Ver_10-03-17.01) - NTFSX64
    Run by Sandi at 21:16:38.76 on Sat 06/05/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4092.2984 [GMT -4:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Windows\system32\taskeng.exe
    c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msntask.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Sandi\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://samira-bellydance.com/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    mLocal Page = c:\windows\syswow64\blank.htm
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: hpBHO Class: {abd3b5e1-b268-407b-a150-2641dab8d898} - c:\program files (x86)\common files\homepage protection\HomepageProtection.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn\toolbar\3.0.0560.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files (x86)\msn\toolbar\3.0.0560.0\msneshellx.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [LightScribe Control Panel] c:\program files (x86)\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [TomTomHOME.exe] "c:\program files (x86)\tomtom home 2\TomTomHOMERunner.exe"
    mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [HPCam_Menu] "c:\program files (x86)\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files (x86)\hewlett-packard\media\webcam" updatewithcreateonce "software\hewlett-packard\media\Webcam"
    mRun: [QlbCtrl.exe] c:\program files (x86)\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [WirelessAssistant] c:\program files (x86)\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [avgnt] "c:\program files (x86)\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
    uPolicies-system: WallpaperStyle = 2
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    dPolicies-system: WallpaperStyle = 2
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files (x86)\common files\lightscribe\LSRunOnce.exe"
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun-x64: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe /background

    ============= SERVICES / DRIVERS ===============

    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-11-6 89600]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-7-2 203264]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\avira\antivir desktop\sched.exe [2009-12-8 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files (x86)\avira\antivir desktop\avguard.exe [2009-12-8 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-8 74880]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2009-7-8 30520]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
    R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-8-15 228408]
    R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2009-6-29 70656]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-11-6 215040]
    R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-11-6 36408]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-10 5434368]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL6.SYS [2009-7-13 292864]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-4 1255736]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x64.sys [2009-6-10 389120]

    =============== Created Last 30 ================

    2010-06-04 02:13:44 0 d-----w- c:\windows\pss
    2010-06-04 02:03:26 0 d-----w- c:\users\sandi\appdata\roaming\Malwarebytes
    2010-06-04 02:01:13 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-04 02:01:13 0 d-----w- c:\programdata\Malwarebytes
    2010-06-04 02:01:13 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2010-06-04 01:53:52 0 d-----w- c:\programdata\Sun
    2010-06-04 01:53:35 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
    2010-06-04 01:53:35 153376 ----a-w- c:\windows\syswow64\javaws.exe
    2010-06-04 01:53:35 145184 ----a-w- c:\windows\syswow64\javaw.exe
    2010-06-04 01:53:35 145184 ----a-w- c:\windows\syswow64\java.exe
    2010-06-04 00:18:59 65536 --sha-w- c:\users\sandi\ntuser.dat{fb16c3b2-6f06-11df-aba6-00269e7b5f16}.TM.blf
    2010-06-04 00:18:59 524288 --sha-w- c:\users\sandi\ntuser.dat{fb16c3b2-6f06-11df-aba6-00269e7b5f16}.TMContainer00000000000000000002.regtrans-ms
    2010-06-04 00:18:59 524288 --sha-w- c:\users\sandi\ntuser.dat{fb16c3b2-6f06-11df-aba6-00269e7b5f16}.TMContainer00000000000000000001.regtrans-ms
    2010-06-01 21:13:15 0 d-----w- c:\users\sandi\appdata\roaming\Protection Center
    2010-05-25 20:52:26 2048 ----a-w- c:\windows\syswow64\tzres.dll
    2010-05-25 20:52:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-16 23:28:02 0 d-----w- c:\programdata\{DA06AA03-DF24-4ECE-939E-1B0939235C66}
    2010-05-11 20:44:40 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-11 20:44:39 740864 ----a-w- c:\windows\syswow64\inetcomm.dll

    ==================== Find3M ====================

    2010-05-26 12:35:20 952 --sha-w- c:\programdata\KGyGaAvL.sys
    2010-05-12 15:21:16 270208 ------w- c:\windows\system32\MpSigStub.exe
    2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2010-01-22 02:01:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2010-01-22 02:01:40 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 21:17:26.18 ===============


    Attach (from DDS) is attached as zip file.

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I noticed you had previous posts, so I looked back and now have this question:

    Is this the same machine?
    You referred to it as 'my old PC' several times, then wiped it, put on a legit Win CP, then updated to Win 7.

    If this is the same machine, I would guess the OS has never been installed correctly, there may be compatibility issues. There was a thread in April about a problem with the apps not opening. Are there multiple users on one machine? Or are these multiple machines?

    Looking at the Error Events in the DDS logs, makes me think the Services aren't configured correctly as many of the 'Dependencies' weren't available for the Service to start.

    Please check the status of the Services using the Black Viper site as a reference:
    http://www.blackviper.com/Windows_7/servicecfg.htm

    You can access the Services like this:
    Start> Run> type in services.msc> double click to open a Service> be sure to check the Dependency tab.

    This is best done in Safe Mode:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Please handle that first and then we can continue looking for malware.
  9. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    Hi Bobbye~ thanks for being so thorough!

    This is a completely separate machine. I'm sorta the "go to" gal among my friends for PC problems, and this one is no exception (friend's laptop). It can be time consuming, but I don't mind since I often get free rounds at the bar as thanks! LOL

    Anyhow~ I will check the Black Viper site and report back.

    Thanks!
    Aegis
  10. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    well... that was fun~ LOL

    I mirrored the "safe" column as far as services are concerned (except for the RDP stuff b/c I occasionally connect to this friend's laptop to help with odd crisises).

    What should we do next?
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- your reply slid down on my mail screen and I missed it!

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please leave the logs in your next reply.

    I have to chuckle about this: you're the "go to" gal to get computers fixed. Then you come here for the 'fixing! According to my count, it's 6 machines and counting. Have you considered just referring the people to us in the first place?
     
  12. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    No worries~

    I tried running combo fix and I received and error: Incompatible OS... this laptop is running Win 7

    Thx,
    ~Aegis
  13. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    Oh.. I have! But most people are SO lazy... and you say something like "enable a windows service" and they flip out! I guess PC troubleshooting is scary stuff. ;)
    I truly don't mind since I learn so much each time. I do tell them where I do it, and they will sometimes look at the thread and their heads swim. Those logs look intimidating to some!
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Combofix will run on Windows 7, but it won't run on a 64bit OS:
    • Download OTL from either of the links below and save it to your desktop.
      Link 1
      Link 2
    • Double click the OTL icon to run it.[​IMG]
    • The opened console will remsemble this: [​IMG]
    • Set Output at the top to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      Make sure all other windows are closed and to let it run uninterrupted.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    ===============================
    Follow with the Eset scan. I think that will work okay.
  15. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    OTL and Extras

    Hi Bobbye,
    Since each file was near 10k over the chaaracter limit, I zipped and attached them instead of making 4 posts.

    Hope that's ok...

    I'll work on Eset now.

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Question:
    There are 2 Start pages as follows. Were either set intentionally by the owner?
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =C:\Windows\SysWOW64\blank.htm
    Start Page = http://[B]samira-bellydance.com
    /
  17. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    The samira-bellydance.com site was set by her (She's an instructor and that's her site).

    The other was not... looks suspicious. :p
  18. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    ESET scan yielded this...

    C:\Users\Sandi\AppData\Local\VirtualStore\Program Files (x86)\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Win32/Dursg.A trojan
    C:\Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe a variant of Win32/Kryptik.ESD trojan


    edit: That was the entire content of the text file.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There is a rogue spyware program on the system. It might have been handled in Malwarebytes, but you didn't check for removal. Did you go back and update and rescan with Malwarebytes, checking to Be sure that everything is checked, and click Remove Selected."[/color]
    If not, please do so and leave the new log. Entries showed No Action Taken

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Users\Sandi\AppData\Local\VirtualStore\Program Files (x86)\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul 
      C:\Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================
    Please see this for specific information and screen shots of the Rogue Protection Center:
    http://www.bleepingcomputer.com/virus-removal/remove-protection-center
  20. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    Malwarebytes response first:
    I was certain that I had checked and cleaned everything... hmmm.
    I updated Malwarebytes, and just ran another quick scan with no malware showing up. Should I run a full scan?

    RESULTS:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4186

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/10/2010 9:11:09 AM
    mbam-log-2010-06-10 (09-11-09).txt

    Scan type: Quick scan
    Objects scanned: 120970
    Time elapsed: 2 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  21. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    the OTM log

    OK, followed the OTM move instructions and here is the log...

    RESULTS:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Users\Sandi\AppData\Local\VirtualStore\Program Files (x86)\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul moved successfully.
    C:\Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    User: Sandi
    ->Temp folder emptied: 2955879 bytes
    ->Temporary Internet Files folder emptied: 118055398 bytes
    ->Java cache emptied: 10681033 bytes
    ->Flash cache emptied: 2297 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1997391 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
    RecycleBin emptied: 7711353 bytes

    Total Files Cleaned = 135.00 mb


    OTM by OldTimer - Version 3.1.12.2 log created on 06102010_093425

    Files moved on Reboot...
    C:\Users\Sandi\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SQWD56VX\ads[4].htm moved successfully.
    C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S3Q1880X\ads[5].htm moved successfully.
    C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S3Q1880X\topic147996[2].html moved successfully.
    C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NBK5BE56\sh18[1].html moved successfully.
    C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

    Registry entries deleted on Reboot...
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please advise me of specific problems that remain.
  23. aegisrose

    aegisrose TS Rookie Topic Starter Posts: 73

    The unwanted icons are gone from the desktop and internet browing is zooming.

    But I did receive the following message from Avira just a little while ago. :(

    Virus or unwanted program 'TR/FakeCog.A.156 [trojan]'
    detected in file 'C:\_OTM\MovedFiles\06102010_093425\C_Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe.
    Action performed: Delete file
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There was nothing for Avira to delete. I already moved the file> OTM\MovedFiles\ Please refer to OTM results in Reply #21.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    NOW it's deleted!

    You might think this is inappropriate, but I'm going to say it anyway: I have a problem with you coming here for us to fix the computers that people bring to you to fix. It seems to me that you are misrepresenting yourself as you aren't doing the work. There appear to be 7 systems that you have had us do the work on that were given to you to do. You may bask in being the 'go to lady' but you're asking others to do the work.

    And when I questioned if these 7 were the same, you replied:
    Yes, it is time comsuming! But all you're doing is following our directions. And then you get the thanks.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.