TechSpot

Problems with 8-step removal

By cjk1
May 31, 2010
  1. Hi,
    I'm in the process of trying to complete the 8 steps for malware removal, but am having problems with the TFC step. Every time I try it, the program becomes unresponsive and my computer freezes. Is there an alternative program I can use for this step? Thanks for the help!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try doing a Disc Cleanup from within the operating system. TFC shouldn't cause what you describe- it's to clean temporary internet files.
     
  3. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Thanks. Now, I am unable to open the microsoft update page. I am repeatedly told that there is a connection problem or that the connection has been reset, but have not problems going to other sites.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are frequent complaints about not being able to access the update site- with OR without malware! Try again at a different time.


    If this is stopping you from doing the scans, skip it for now and go on.
     
  5. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Thanks again. I skipped the windows updater and I'm attaching the logs.
     

    Attached Files:

  6. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    For some reason cannot attach dds.txt. Here is the first part.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 15:27:44.53 on Tue 06/01/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.245 [GMT -5:00]

    AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

    ============== Running Processes ===============

    C:\windows\system32\svchost -k DcomLaunch
    svchost.exe
    C:\windows\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\windows\zHotkey.exe
    C:\Program Files\Digital Media Reader\readericon45G.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\windows\system32\ctfmon.exe
    svchost.exe
    C:\windows\eHome\ehRecvr.exe
    C:\windows\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\windows\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    svchost.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\windows\eHome\ehmsas.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\windows\system32\wscntfy.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
     
  7. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Sorry, i think the pasting was a dumb idea on my part. will try to attach again later, unless you have another suggestion.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Attaching is fine for these logs.
     
  9. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Ok, here is the dds log. It would not attach after multiple attempts until I removed these lines:

    Trusted Zone: microsoft.com\upd ate
    Trusted Zone: microsoft.com\windows update

    Not sure if it is just a weird fluke or what. Thanks so much!

    (added spaces in the log lines because I also could not post them to forum without a connection reset.)
     

    Attached Files:

    • DDS.txt
      File size:
      16.4 KB
      Views:
      1
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is badly infected. Malwarebytes has removed a lot of file, but there will be more. You have numerous rogue programs running- I can't tell whether you installed some hoping to clean the system or whether your security is so bad they all accessed the system!

    To begin: Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Then Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I'll be setting up some script to remove some entries, but I'll give Combofix the chance to remove some.
    Please leave the Combofix report and Eset log in your next reply.

    I suggest that you do not act on any security warning you may receive at this point, unless it's something from your antivirus program. the rogue programs put out alerts of infections and want you to click to download and remove the,. Don't!
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Question: Are you an employee at Best Buy and do you have an Intranet set up there?
     
  12. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    No, not a Best Buy employee. Lots of the software, including anti-virus stuff, was installed there.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So maybe you bought the computer there and they set it up for you?
    Or did either Best Buy or the Geek Squad give you remote help?

    There are several entries for different file transfer protocols and ports and the IP is for Best Buy in Minnesota.. If you were given help in some way to load software programs on the system, I don't know of any reasons for the entries to stay.
     
  14. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Yes, no reason to keep any best buy stuff. I'm attaching the combo-fix log. Here is the eset log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d6b8bee67dba0648ad3d1331785b1f73
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=false
    # utc_time=2010-06-03 12:58:47
    # local_time=2010-06-02 07:58:47 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=514 16776549 100 97 0 111204079 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=65471
    # found=1
    # cleaned=0
    # scan_time=4139
    C:\Qoobox\Quarantine\C\windows\uwuvabuyud.dll.vir a variant of Win32/Cimag.CM trojan
     

    Attached Files:

    • log.txt
      File size:
      17.7 KB
      Views:
      2
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\Qlapohecewew.dat
    c:\windows\Wjayadeh.bin
    c:\program files\AntiSpywareExpert\ase.exe
    
    Folder::
    c:\documents and settings\Owner\Application Data\EMCO
    
    Rootkit::
    
    DDS::
    BHO: {31d7d4a5-9967-4eef-8c97-b0dc673a2b76} - c:\windows\system32\nnnnKdef.dll
    uRun: [VirusIsolator.exe] c:\program files\virusisolator\VirusIsolator.exe
    uRun: [<NO NAME>] 
    mRun: [<NO NAME>] 
    mRun: [SBI] c:\documents and settings\owner\local settings\temporary internet files\content.ie5\8e31xade\install_sbd_en[1].exe
    mRun: [SystemDefender] "c:\program files\systemdefender\SystemDefender.exe" hide
    mRun: [AdvancedCleaner Free] "c:\program files\advancedcleaner free\UADC.exe" /min
    uPolicies-explorer: ForceActiveDesktopOn = 30
    uPolicies-system: DisableTaskMgr = 30
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    Firefox::
    Firefox-: Profile- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kj7k2wnr.default\
    Firefox-: prefs.js - network.proxy.ftp - 168.94.74.68
    Firefox-: prefs.js - network.proxy.ftp_port - 8080
    Firefox-: prefs.js - network.proxy.gopher - 168.94.74.68
    Firefox-: prefs.js - network.proxy.gopher_port - 8080
    Firefox-: prefs.js - network.proxy.http - 168.94.74.68
    Firefox-: prefs.js - network.proxy.http_port - 8080
    Firefox-: prefs.js - network.proxy.socks - 168.94.74.68
    Firefox-: prefs.js - network.proxy.socks_port - 8080
    Firefox-: prefs.js - network.proxy.ssl - 168.94.74.68
    Firefox-: prefs.js - network.proxy.ssl_port - 8080
    Firefox-: prefs.js - network.proxy.type - 4
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"=-
    
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ===================
     
  16. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    I've been allowing the installation for the recovery console, but an error message comes up every time. Thanks again!
     

    Attached Files:

  17. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    My anti-virus protection is expiring tomorrow. Do you recommend that I renew, or is there something better I should be using? Thanks!
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It doesn't matter whether you renew or get a new antivirus program. Don't access the internet without this protection. Why have you run this so late?.

    Either renew Trend Micro [n]now[/b] or put the following on: Judging by the number of malware infections you had, you need to increase your security:

    All free, all good, all recommended: (choose only one AV and one firewall, 2 or more antispyware)

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

    Security is the one area you can't afford to skimp on!

    You didn't tell me what the error message was when you tried to install the recovery console. I suspect it may have said you didn't have an internet connection. If that was it, when I have you run Combofix again, don't disconnect from the internet before you do this step.

    Get the AV settled- I'll come back and check the Combofix report.
     
  19. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Sorry, I can't remember the exact error message. It did not say anything about the internet connection, instead something about boot enumeration. I will write it down if it pops up again. Anti-virus is taken care of now. This is not my computer (trying to help my parents), so I did not realize the subscription was almost up.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Best Buy proxy entries remain. I might see them in a HijackThis log. So I'll have you run that and Malwarebytes again because of all the infections:

    You can just update Mbam and scan again. Save and leave the log.

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    If I don't see them or can't remove them, I'll have you block the site. they need to be removed.
     
  21. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:09:04 AM, on 6/5/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\windows\zHotkey.exe
    C:\Program Files\Digital Media Reader\readericon45G.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\windows\system32\ctfmon.exe
    C:\windows\eHome\ehRecvr.exe
    C:\windows\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\windows\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\windows\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\windows\eHome\ehmsas.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\windows\system32\msiexec.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\windows\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe"
    O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: tisspwiz.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1210977935525
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {934CEFDC-E880-446F-880F-6560F613D8AA} (FCliVer Class) - http://www.conpia.com/cab/fclient/fclient(v1.2.28.0).cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/babel/zylomplayer.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

    --
    End of file - 8880 bytes
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- somehow I missed you! I want to to search for a file/folder. It would likely be hidden. But I moved it once and Mbam found another entry. It's one of the many rogue spyware programs that were on the system:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Go to the Control Panel> Add/Remove Programs> uninstall VirusIsolator

    Access Windows Explorer: Windows key + E: (while still in Safe Mode)
    Show Hidden Folders/Files
    • Open My Computer.
      [*] Go to Tools > Folder Options.
      [*] Select the View tab.
      [*] Scroll down to Hidden files and folders.
      [*] Select Show hidden files and folders.
      [*] Uncheck (untick) Hide extensions of known file types.
      [*] Uncheck (untick) Hide protected operating system files (Recommended).
      [*] Click Yes when prompted.
      [*] Click OK.


    Double click in the Local Drive (C)> Programs:
    See if there is a folder for VirusIsolator. IF there is do a right click on it> then Delete.
    Close Windows Explorer and reboot into Normal Mode.

    Let me know if you found this either place.
     
  23. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    I did not find VirusIsolator in either place. Hopefully this is good news?
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please update and run one more Mbam scan. I don't usually repeat this, but since there were so many rogues and Mbam found one again, I want to make sure it's gone.

    The do the online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    If these are clean, I'll have you remove the cleaning tools.
     
  25. cjk1

    cjk1 TS Rookie Topic Starter Posts: 16

    Here is the ESET log:
     

    Attached Files:

    • log.txt
      File size:
      748 bytes
      Views:
      2
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...