Solved Problem after running TFC step

[aegisrose]

Hello TechSpot friends!
I have a misbehaving HP laptop here... My friend states that after what looked like a legit windows "update protection center" click, suddenly new icons appeared on her desktop, including pornotube, youporn, and other such delightful icons.

I ran an Avira scan, and then ran the TFC step... now, anytime I try to open anything, the "Open With" window pops up asking me to choose a program to open the file. I thought it was just iexplore at first, but I tried the safe icons on the deskstop (skype, avira control center and HP support center) and they all either ask for me to choose a program, or say "application not found".

I tried going through "start > all programs" but get the same result.

Any suggestions?

THANKS!
~AegisRose

 

[Bobbye]

Try doing a System Restore to before you ran TFC.

Then If you want us to check for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

When you have finished, leave the logs for review in your next reply.

There is not enough information to do anything else.

Please don't use any other cleaning programs or scans while I'm helping you unless I direct you to. do not use a Registry cleaner or make any Registry changes.

 

[aegisrose]

Thanks for the response Bobbye... I can do it when I get home from work.

Would you happen to have some instructions for system restore steps with Windows 7? I'm still learning my way around this OS.

 

[Bobbye]

I'm on a new Dell mini learning my way around Windows 7:

Control Panel> Action Center> Recovery> Open System Restore.

You may have to set the backup feature. It doesn't look like the system creates restore points by defaulkt every 24 hours like Win XP- or I haven't found it yet.

 

[aegisrose]

Hello Bobbye~
I did the system restore... I was able to update Avira, run that scan, then subsequently, I ran TFC without any problems. I've also made sure the windows updates were up-tp-date, and java as well (i also deleted some older javas).
I downloaded GMER to the desktop, and when I attempted to run it, it immediatly crashes. I made sure all apps were closed and I was not connect to any network. I just attempted in Safe Mode, and it does the same thing. I did deleted, then re-download it, but same result.

Can you assist?

 

[Bobbye]

You can try not checking Devices when you run GMER. If it's still a problem, please go on with the rest of the steps and leave the logs.

 

[aegisrose]

Thank you Bobbye... since GMER doesn't open even to the point where I can check/uncheck devices, I've proceded with the rest of the steps.

Malwarebytes log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4168

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/3/2010 10:06:54 PM
mbam-log-2010-06-03 (22-06-54).txt

Scan type: Quick scan
Objects scanned: 121056
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rthdbpl (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Sandi\AppData\Roaming\SystemProc (Trojan.Agent) -> No action taken.

Files Infected:
C:\Users\Sandi\Desktop\pornotube.com.lnk (Rogue.Link) -> No action taken.


DDS log:

DDS (Ver_10-03-17.01) - NTFSX64
Run by Sandi at 21:16:38.76 on Sat 06/05/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4092.2984 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msntask.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sandi\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://samira-bellydance.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\syswow64\blank.htm
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpBHO Class: {abd3b5e1-b268-407b-a150-2641dab8d898} - c:\program files (x86)\common files\homepage protection\HomepageProtection.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn\toolbar\3.0.0560.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files (x86)\msn\toolbar\3.0.0560.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [LightScribe Control Panel] c:\program files (x86)\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [TomTomHOME.exe] "c:\program files (x86)\tomtom home 2\TomTomHOMERunner.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [HPCam_Menu] "c:\program files (x86)\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files (x86)\hewlett-packard\media\webcam" updatewithcreateonce "software\hewlett-packard\media\Webcam"
mRun: [QlbCtrl.exe] c:\program files (x86)\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [WirelessAssistant] c:\program files (x86)\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avgnt] "c:\program files (x86)\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
uPolicies-system: WallpaperStyle = 2
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: WallpaperStyle = 2
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files (x86)\common files\lightscribe\LSRunOnce.exe"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe /background

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-11-6 89600]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-7-2 203264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\avira\antivir desktop\sched.exe [2009-12-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files (x86)\avira\antivir desktop\avguard.exe [2009-12-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-8 74880]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2009-7-8 30520]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-8-15 228408]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2009-6-29 70656]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-11-6 215040]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-11-6 36408]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-4 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x64.sys [2009-6-10 389120]

=============== Created Last 30 ================

2010-06-04 02:13:44 0 d-----w- c:\windows\pss
2010-06-04 02:03:26 0 d-----w- c:\users\sandi\appdata\roaming\Malwarebytes
2010-06-04 02:01:13 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 02:01:13 0 d-----w- c:\programdata\Malwarebytes
2010-06-04 02:01:13 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-06-04 01:53:52 0 d-----w- c:\programdata\Sun
2010-06-04 01:53:35 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-06-04 01:53:35 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-06-04 01:53:35 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-06-04 01:53:35 145184 ----a-w- c:\windows\syswow64\java.exe
2010-06-04 00:18:59 65536 --sha-w- c:\users\sandi\ntuser.dat{fb16c3b2-6f06-11df-aba6-00269e7b5f16}.TM.blf
2010-06-04 00:18:59 524288 --sha-w- c:\users\sandi\ntuser.dat{fb16c3b2-6f06-11df-aba6-00269e7b5f16}.TMContainer00000000000000000002.regtrans-ms
2010-06-04 00:18:59 524288 --sha-w- c:\users\sandi\ntuser.dat{fb16c3b2-6f06-11df-aba6-00269e7b5f16}.TMContainer00000000000000000001.regtrans-ms
2010-06-01 21:13:15 0 d-----w- c:\users\sandi\appdata\roaming\Protection Center
2010-05-25 20:52:26 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-25 20:52:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-16 23:28:02 0 d-----w- c:\programdata\{DA06AA03-DF24-4ECE-939E-1B0939235C66}
2010-05-11 20:44:40 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 20:44:39 740864 ----a-w- c:\windows\syswow64\inetcomm.dll

==================== Find3M ====================

2010-05-26 12:35:20 952 --sha-w- c:\programdata\KGyGaAvL.sys
2010-05-12 15:21:16 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 02:01:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 02:01:40 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:17:26.18 ===============


Attach (from DDS) is attached as zip file.

 

[Bobbye]

I noticed you had previous posts, so I looked back and now have this question:

Is this the same machine?

1. Current: Problem after running TFC step>> about 6/3/2010
misbehaving HP laptop , Win 7
2. Win 7 frequent (not responding) messages on all applications> 4/13/2010
3. Upgraded to Win7 - various audio not working> 12/30/09
4. Audio not working on recently wiped PC>> 12/27/09
reinstalled Win XP
5.Want to wipe PC / unable to boot from disk>> 12/22/09
an old PC that is still worth saving; replacing pirated OS with legit copy of windows XP
6. Internet Browsers will not open - possible malware>> 11/21/09
my old XP machine

You referred to it as 'my old PC' several times, then wiped it, put on a legit Win CP, then updated to Win 7.

If this is the same machine, I would guess the OS has never been installed correctly, there may be compatibility issues. There was a thread in April about a problem with the apps not opening. Are there multiple users on one machine? Or are these multiple machines?

Looking at the Error Events in the DDS logs, makes me think the Services aren't configured correctly as many of the 'Dependencies' weren't available for the Service to start.

Please check the status of the Services using the Black Viper site as a reference:
http://www.blackviper.com/Windows_7/servicecfg.htm

You can access the Services like this:
Start> Run> type in services.msc> double click to open a Service> be sure to check the Dependency tab.

This is best done in Safe Mode:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Please handle that first and then we can continue looking for malware.

 

[aegisrose]

Hi Bobbye~ thanks for being so thorough!

This is a completely separate machine. I'm sorta the "go to" gal among my friends for PC problems, and this one is no exception (friend's laptop). It can be time consuming, but I don't mind since I often get free rounds at the bar as thanks! LOL

Anyhow~ I will check the Black Viper site and report back.

Thanks!
Aegis

 

[aegisrose]

well... that was fun~ LOL

I mirrored the "safe" column as far as services are concerned (except for the RDP stuff b/c I occasionally connect to this friend's laptop to help with odd crisises).

What should we do next?

 

[Bobbye]

Sorry- your reply slid down on my mail screen and I missed it!

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave the logs in your next reply.

I have to chuckle about this: you're the "go to" gal to get computers fixed. Then you come here for the 'fixing! According to my count, it's 6 machines and counting. Have you considered just referring the people to us in the first place?

 

[aegisrose]

No worries~

I tried running combo fix and I received and error: Incompatible OS... this laptop is running Win 7

Thx,
~Aegis

 

[aegisrose]

I have to chuckle about this: you're the "go to" gal to get computers fixed. Then you come here for the 'fixing! According to my count, it's 6 machines and counting. Have you considered just referring the people to us in the first place?

Oh.. I have! But most people are SO lazy... and you say something like "enable a windows service" and they flip out! I guess PC troubleshooting is scary stuff.
I truly don't mind since I learn so much each time. I do tell them where I do it, and they will sometimes look at the thread and their heads swim. Those logs look intimidating to some!

 

[Bobbye]

Combofix will run on Windows 7, but it won't run on a 64bit OS:

• Download OTL from either of the links below and save it to your desktop.
  Link 1
  Link 2
  
• Double click the OTL icon to run it.
  
• The opened console will remsemble this:
  
• Set Output at the top to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  Make sure all other windows are closed and to let it run uninterrupted.
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

===============================
Follow with the Eset scan. I think that will work okay.

 

[aegisrose]

OTL and Extras

Hi Bobbye,
Since each file was near 10k over the chaaracter limit, I zipped and attached them instead of making 4 posts.

Hope that's ok...

I'll work on Eset now.

 

[aegisrose]

The samira-bellydance.com site was set by her (She's an instructor and that's her site).

The other was not... looks suspicious.

 

[aegisrose]

ESET scan yielded this...

C:\Users\Sandi\AppData\Local\VirtualStore\Program Files (x86)\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Win32/Dursg.A trojan
C:\Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe a variant of Win32/Kryptik.ESD trojan


edit: That was the entire content of the text file.

 

[Bobbye]

There is a rogue spyware program on the system. It might have been handled in Malwarebytes, but you didn't check for removal. Did you go back and update and rescan with Malwarebytes, checking to Be sure that everything is checked, and click Remove Selected."[/color]
If not, please do so and leave the new log. Entries showed No Action Taken

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Users\Sandi\AppData\Local\VirtualStore\Program Files (x86)\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul 
  C:\Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================
Please see this for specific information and screen shots of the Rogue Protection Center:
http://www.bleepingcomputer.com/virus-removal/remove-protection-center

 

[aegisrose]

Malwarebytes response first:
I was certain that I had checked and cleaned everything... hmmm.
I updated Malwarebytes, and just ran another quick scan with no malware showing up. Should I run a full scan?

RESULTS:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4186

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/10/2010 9:11:09 AM
mbam-log-2010-06-10 (09-11-09).txt

Scan type: Quick scan
Objects scanned: 120970
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[aegisrose]

the OTM log

OK, followed the OTM move instructions and here is the log...

RESULTS:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Users\Sandi\AppData\Local\VirtualStore\Program Files (x86)\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul moved successfully.
C:\Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Sandi
->Temp folder emptied: 2955879 bytes
->Temporary Internet Files folder emptied: 118055398 bytes
->Java cache emptied: 10681033 bytes
->Flash cache emptied: 2297 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1997391 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
RecycleBin emptied: 7711353 bytes

Total Files Cleaned = 135.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06102010_093425

Files moved on Reboot...
C:\Users\Sandi\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SQWD56VX\ads[4].htm moved successfully.
C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S3Q1880X\ads[5].htm moved successfully.
C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S3Q1880X\topic147996[2].html moved successfully.
C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NBK5BE56\sh18[1].html moved successfully.
C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\Sandi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

 

[Bobbye]

Please advise me of specific problems that remain.

 

[aegisrose]

The unwanted icons are gone from the desktop and internet browing is zooming.

But I did receive the following message from Avira just a little while ago.

Virus or unwanted program 'TR/FakeCog.A.156 [trojan]'
detected in file 'C:\_OTM\MovedFiles\06102010_093425\C_Users\Sandi\AppData\Roaming\Protection Center\cntprot.exe.
Action performed: Delete file

 

[Bobbye]

There was nothing for Avira to delete. I already moved the file> OTM\MovedFiles\ Please refer to OTM results in Reply #21.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

NOW it's deleted!

You might think this is inappropriate, but I'm going to say it anyway: I have a problem with you coming here for us to fix the computers that people bring to you to fix. It seems to me that you are misrepresenting yourself as you aren't doing the work. There appear to be 7 systems that you have had us do the work on that were given to you to do. You may bask in being the 'go to lady' but you're asking others to do the work.

And when I questioned if these 7 were the same, you replied:

This is a completely separate machine. I'm sorta the "go to" gal among my friends for PC problems, and this one is no exception (friend's laptop). It can be time consuming, but I don't mind since I often get free rounds at the bar as thanks! LOL

Yes, it is time comsuming! But all you're doing is following our directions. And then you get the thanks.