Solved Random sound playing virus (hidden iexplorer.exe)

jimvanstevens · Aug 2, 2010

Hello,

I have this problem for a few days already, some strange sounds starting up at random times, first it where farm sounds now its some kind of movie sound...

I Followed the instruction on the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions.

Gmer found some kind of hidden iexplorer I think this is the virus... when the sound starts and I press alt-tab it shows an iexplorer very quick and then loses it...

I attached the log files...

Can anyone give me instructions on what to do next

Im running windows xp sp3

jimvanstevens · Aug 2, 2010

I found out with mbrcheck.exe that my mbr is changed

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00100a44

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive0 at offset 0x00000004`e22d6a00 (NTFS)
\\.\L: --> \\.\PhysicalDrive0 at offset 0x00000009`c45a5600 (NTFS)
\\.\U: --> \\.\PhysicalDrive0 at offset 0x0000000d`c1159a00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black I
nternet)!
SHA1: 4BD9A670E18D95DF9112D7A70C775062AF06C5A6

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

When trying to solve it... Y option 2(restore the mbr) Selected my physical disk 0

But after running the tool again it still gives the same message... any ideas

Broni · Aug 2, 2010

Welcome aboard

Our manual clearly says:

DO NOT make any other changes to your computer (e.g. installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

jimvanstevens · Aug 3, 2010

first off all Thanks for your time!

i used combofix on my pc and the log file is as followed:

ComboFix 10-08-02.03 - user_name 03-08-2010 7:43.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.748 [GMT 2:00]
Running from: c:\documents and settings\user_name\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-02 19:20 . 2010-08-02 19:20 -------- d-----w- c:\documents and settings\user_name\Application Data\Malwarebytes
2010-08-02 19:19 . 2010-08-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 16:31 . 2010-08-02 16:31 -------- d-----w- C:\$AVG8.VAULT$
2010-08-02 15:58 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-02 15:57 . 2010-08-02 15:57 -------- d-----w- c:\program files\Panda Security
2010-07-29 19:56 . 2010-07-29 19:56 -------- d-----w- c:\documents and settings\user_name\Local Settings\Application Data\Sunbelt Software
2010-07-29 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-29 16:50 . 2010-07-29 16:50 -------- d-----w- c:\program files\Rockstar Games
2010-07-28 19:53 . 2010-08-03 05:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-28 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 05:38 . 2008-12-30 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-02 18:37 . 2010-01-04 17:46 -------- d-----w- c:\program files\FLV Player
2010-08-02 08:24 . 2009-04-24 05:27 -------- d-----w- c:\documents and settings\user_name\Application Data\Skype
2010-08-02 07:44 . 2009-04-24 05:28 -------- d-----w- c:\documents and settings\user_name\Application Data\skypePM
2010-07-29 16:35 . 2008-12-30 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-22 18:00 . 2010-06-15 18:32 -------- d-----w- c:\program files\PokerStars
.

((((((((((((((((((((((((((((( SnapShot@2010-08-02_08.40.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-03 05:40 . 2010-08-03 05:40 16384 c:\windows\temp\Perflib_Perfdata_1a8.dat
+ 2004-08-04 12:00 . 2010-08-03 05:44 59842 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-08-02 07:48 59842 c:\windows\system32\perfc009.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-02 20:27 . 2010-08-03 05:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 17:02 . 2010-08-03 05:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 17:02 . 2010-08-03 05:43 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2010-08-03 05:44 395768 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-08-02 07:48 395768 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/2/2010 5:58 PM 28552]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/30/2008 7:23 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/30/2008 7:23 PM 6100]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user_name\Application Data\Mozilla\Firefox\Profiles\0s6m9rdq.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Canon\APU\npCCBPLFirefox.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 07:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-03 07:48:11
ComboFix-quarantined-files.txt 2010-08-03 05:48
ComboFix2.txt 2010-08-02 20:59
ComboFix3.txt 2010-08-02 20:17
ComboFix4.txt 2010-08-02 08:41

Pre-Run: 6.557.732.864 bytes free
Post-Run: 6.555.996.160 bytes free

- - End Of File - - 40542FFB14D45B3A97CCA02FD8D9D18E

Broni · Aug 3, 2010

I can see, you ran Combofix several times today.
Never run Combofix on your own!

I'd like to see following logs:
ComboFix2.txt 2010-08-02 20:59
ComboFix3.txt 2010-08-02 20:17
ComboFix4.txt 2010-08-02 08:41

You can find them in C:\Qoobox folder.

I'll repeat one more time, as our manual says:

DO NOT make any other changes to your computer (e.g. installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

If you do it again, you're on your own....

jimvanstevens · Aug 3, 2010

I atached file combofix2 combofix3 and combofix4

I tryed it a few times before posting anything on the forum...I wont do it again

thank you very much for your time I really appreceate it!

Broni · Aug 3, 2010

Delete your Combofix file and download fresh copy from HERE
Run it and post resulting log.

jimvanstevens · Aug 4, 2010

Thank you for your time!!! btw congratulations on your 5000 post!

I uninstalled spybot, avg, adaware yesterday morning...

I used the fresh copy of combofix... it told me i had the whisler rootkit and it needed to restart my pc...

After restart, it started again and this is the log file:

ComboFix 10-07-31.01 - user_name 04-08-2010 7:35.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.781 [GMT 2:00]
Running from: c:\documents and settings\user_name\Desktop\wCFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 19:20 . 2010-08-02 19:20 -------- d-----w- c:\documents and settings\user_name\Application Data\Malwarebytes
2010-08-02 19:19 . 2010-08-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 16:31 . 2010-08-02 16:31 -------- d-----w- C:\$AVG8.VAULT$
2010-08-02 15:58 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-02 15:57 . 2010-08-02 15:57 -------- d-----w- c:\program files\Panda Security
2010-07-29 19:56 . 2010-07-29 19:56 -------- d-----w- c:\documents and settings\user_name\Local Settings\Application Data\Sunbelt Software
2010-07-29 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-29 16:50 . 2010-07-29 16:50 -------- d-----w- c:\program files\Rockstar Games
2010-07-28 19:53 . 2010-08-03 05:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-28 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 05:38 . 2008-12-30 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-02 18:37 . 2010-01-04 17:46 -------- d-----w- c:\program files\FLV Player
2010-08-02 08:24 . 2009-04-24 05:27 -------- d-----w- c:\documents and settings\user_name\Application Data\Skype
2010-08-02 07:44 . 2009-04-24 05:28 -------- d-----w- c:\documents and settings\user_name\Application Data\skypePM
2010-07-29 16:35 . 2008-12-30 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-22 18:00 . 2010-06-15 18:32 -------- d-----w- c:\program files\PokerStars
.

((((((((((((((((((((((((((((( SnapShot@2010-08-02_08.40.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-04 05:35 . 2010-08-04 05:35 16384 c:\windows\temp\Perflib_Perfdata_200.dat
+ 2004-08-04 12:00 . 2010-08-04 05:39 59842 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-08-02 07:48 59842 c:\windows\system32\perfc009.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-02 20:27 . 2010-08-04 05:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 17:02 . 2010-08-04 05:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 17:02 . 2010-08-04 05:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2010-08-04 05:39 395768 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-08-02 07:48 395768 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/2/2010 5:58 PM 28552]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/30/2008 7:23 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/30/2008 7:23 PM 6100]
.
.
------- Supplementary Scan -------
.
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user_name\Application Data\Mozilla\Firefox\Profiles\0s6m9rdq.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Canon\APU\npCCBPLFirefox.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 07:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-04 07:41:23
ComboFix-quarantined-files.txt 2010-08-04 05:41
ComboFix2.txt 2010-08-03 05:48

Pre-Run: 6.441.439.232 bytes free
Post-Run: 6.468.571.136 bytes free

- - End Of File - - 4C37EFEC7FEA2210D9A6AFFA651FA55B

Broni · Aug 4, 2010

Very good

How are the issues?

Please, re-run MBRCheck and post fresh log.

jimvanstevens · Aug 4, 2010

OK i used mbr check here is the log: as far as i can see it looks better then before! what is the next step

congrats on making over 5000 posts... you are very helpfull to a lot of people!

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00100a44

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7D2E000 \WINDOWS\system32\KDCOM.DLL
0xF7C3E000 \WINDOWS\system32\BOOTVID.dll
0xF77DF000 ACPI.sys
0xF7D30000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF77CE000 pci.sys
0xF782E000 isapnp.sys
0xF783E000 ohci1394.sys
0xF784E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C42000 compbatt.sys
0xF7C46000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7DF6000 pciide.sys
0xF7AAE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7D32000 intelide.sys
0xF77B0000 pcmcia.sys
0xF785E000 MountMgr.sys
0xF7791000 ftdisk.sys
0xF7D34000 dmload.sys
0xF776B000 dmio.sys
0xF7C4A000 ACPIEC.sys
0xF7DF7000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7AB6000 PartMgr.sys
0xF7ABE000 pavboot.sys
0xF786E000 VolSnap.sys
0xF7753000 atapi.sys
0xF787E000 disk.sys
0xF788E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7733000 fltmgr.sys
0xF7721000 sr.sys
0xF770A000 KSecDD.sys
0xF767D000 Ntfs.sys
0xF7650000 NDIS.sys
0xF7636000 Mup.sys
0xF789E000 agp440.sys
0xF7A2E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF74C1000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF74AD000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B16000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7489000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B1E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7A3E000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7477000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF7D46000 \SystemRoot\system32\drivers\MbxStby.sys
0xF7448000 \SystemRoot\system32\drivers\o2mmb.sys
0xF72B3000 \SystemRoot\system32\DRIVERS\w22n51.sys
0xF7A4E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B26000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7286000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7D48000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B2E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A5E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A6E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7A7E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7263000 \SystemRoot\system32\DRIVERS\ks.sys
0xF723C000 \SystemRoot\system32\drivers\vinyl97.sys
0xF7218000 \SystemRoot\system32\drivers\portcls.sys
0xF7A8E000 \SystemRoot\system32\drivers\drmk.sys
0xF7CF6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7EFA000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7A9E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7CFA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF71D9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF78CE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF78DE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7B36000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF71C8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF78EE000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7B3E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B46000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF70F8000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF78FE000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7D4A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF709A000 \SystemRoot\system32\DRIVERS\update.sys
0xF7D1A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF790E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF793E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D4C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7F7A000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D4E000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B66000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7B6E000 \SystemRoot\System32\drivers\vga.sys
0xF7D50000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D52000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7B76000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7B7E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF75E1000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAAFCD000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAAF74000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAAF4C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAAF2A000 \SystemRoot\System32\drivers\afd.sys
0xF794E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAAEFF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAAE67000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF795E000 \SystemRoot\System32\Drivers\Fips.SYS
0xAAE41000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF796E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF797E000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF799E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7210000 \SystemRoot\System32\Drivers\n558.sys
0xF7B86000 \SystemRoot\System32\Drivers\BTHUSB.sys
0xAAD5E000 \SystemRoot\System32\Drivers\bthport.sys
0xF720C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF79AE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7B8E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7200000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF71F8000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF79BE000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0xF7B96000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0xAAD1D000 \SystemRoot\system32\DRIVERS\bthpan.sys
0xAAD05000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D58000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7086000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B9E000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF7E8E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D5000 \SystemRoot\System32\ati2dvag.dll
0xBFA0D000 \SystemRoot\System32\ati2cqag.dll
0xBFA47000 \SystemRoot\System32\ati3duag.dll
0xBFC6A000 \SystemRoot\System32\ativvaxx.dll
0xAAC05000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAA958000 \SystemRoot\system32\drivers\wdmaud.sys
0xAAB15000 \SystemRoot\system32\drivers\sysaudio.sys
0xAA80D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA6CB000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7BBE000 \??\C:\DOCUME~1\user_name\LOCALS~1\Temp\catchme.sys
0xF7DAA000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF7C06000 \??\C:\DOCUME~1\user_name\LOCALS~1\Temp\mbr.sys
0xAA178000 \SystemRoot\system32\drivers\kmixer.sys
0xAA137000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
632 C:\WINDOWS\system32\smss.exe
744 csrss.exe
784 C:\WINDOWS\system32\winlogon.exe
832 C:\WINDOWS\system32\services.exe
844 C:\WINDOWS\system32\lsass.exe
1000 C:\WINDOWS\system32\ati2evxx.exe
1012 C:\WINDOWS\system32\svchost.exe
1084 svchost.exe
1176 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe
1276 svchost.exe
1656 C:\WINDOWS\system32\spoolsv.exe
440 svchost.exe
456 C:\WINDOWS\system32\CTSVCCDA.EXE
512 C:\Program Files\Java\jre6\bin\jqs.exe
544 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
648 C:\WINDOWS\system32\HPZipm12.exe
1300 C:\WINDOWS\system32\svchost.exe
1348 wdfmgr.exe
1576 C:\Program Files\Canon\CAL\CALMAIN.exe
1752 alg.exe
2012 C:\WINDOWS\system32\ati2evxx.exe
344 C:\WINDOWS\system32\wscntfy.exe
1160 wmiprvse.exe
1380 C:\WINDOWS\system32\notepad.exe
200 C:\WINDOWS\explorer.exe
580 C:\WINDOWS\system32\wuauclt.exe
1136 C:\Program Files\Mozilla Firefox\firefox.exe
216 C:\Program Files\Mozilla Firefox\plugin-container.exe
2196 C:\Program Files\totalcmd\totalcmd\TOTALCMD.EXE
2276 C:\Documents and Settings\user_name\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive0 at offset 0x00000004`e22d6a00 (NTFS)
\\.\L: --> \\.\PhysicalDrive0 at offset 0x00000009`c45a5600 (NTFS)
\\.\U: --> \\.\PhysicalDrive0 at offset 0x0000000d`c1159a00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGMP0804H, Rev: UE100-14

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Broni · Aug 4, 2010

congrats on making over 5000 posts

Thank you

MBRCheck looks good

Any current issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

jimvanstevens · Aug 4, 2010

As far as i can see no current issues...

I uninstalled Combofix restarted my laptop and did a run with OTL (including the custom settings)

I think we are getting somewhere thank you very much!

Here is the extras.txt

OTL Extras logfile created on: 4-8-2010 7:58:33 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\user_name\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000413 | Country: Netherlands | Language: NLD | Date Format: d-M-yyyy

1.023,00 Mb Total Physical Memory | 748,00 Mb Available Physical Memory | 73,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 7,18 Gb Free Space | 36,74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 661,33 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 19,53 Gb Total Space | 17,61 Gb Free Space | 90,14% Space Free | Partition Type: NTFS
Drive L: | 15,95 Gb Total Space | 11,82 Gb Free Space | 74,13% Space Free | Partition Type: NTFS
Drive U: | 19,53 Gb Total Space | 15,06 Gb Free Space | 77,07% Space Free | Partition Type: NTFS

Computer Name: LAPTOP-user_name
Current User Name: user_name
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015D937D-9D52-45A4-BDAA-2413938C0564}" = O2Micro MemoryCardBus Windows Driver
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{10F5387D-1728-423A-A578-B00982CF2646}" = Windows Live Messenger
"{1AEC8F41-4701-415D-9782-F69CFB535463}" = Creative Zen MicroPhoto
"{1BD6AE96-4742-4498-9D03-9451C7E5A214}" = Windows Live aanmeldhulp
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live - Hulpprogramma voor uploaden
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 17
"{2A8F82E8-7B86-4AFD-BFBC-2BA4C2CF52DB}" = Windows Live Call
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{4B35F00C-E63D-40DC-9839-DF15A33EAC46}" = Grand Theft Auto Vice City
"{5469D537-9B44-4c78-BF2D-5F9807564F74}" = HP PSC & OfficeJet 4.7
"{562B9CA4-6E52-4F87-ACEC-912FC004F1F0}" = Windows Live Essentials
"{5A24DD7E-7B01-41AC-ADA8-F1776177A3BA}" = Logitech ImageStudio
"{5FE1E412-D114-46E8-A891-5BE087B256A5}" = MVision
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0413-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Dutch) 12
"{90120000-0015-0413-0000-0000000FF1CE}" = Microsoft Office Access MUI (Dutch) 2007
"{90120000-0016-0413-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Dutch) 2007
"{90120000-0018-0413-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Dutch) 2007
"{90120000-0019-0413-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Dutch) 2007
"{90120000-001A-0413-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Dutch) 2007
"{90120000-001B-0413-0000-0000000FF1CE}" = Microsoft Office Word MUI (Dutch) 2007
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proof (Dutch) 2007
"{90120000-002C-0413-0000-0000000FF1CE}" = Microsoft Office Proofing (Dutch) 2007
"{90120000-0044-0413-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Dutch) 2007
"{90120000-006E-0413-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Dutch) 2007
"{90120000-00A1-0413-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Dutch) 2007
"{90120000-00BA-0413-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Dutch) 2007
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{AC76BA86-7AD7-1043-7B44-A90000000001}" = Adobe Reader 9 - Nederlands
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Aangifte inkomstenbelasting 2008" = Aangifte inkomstenbelasting 2008
"Aangifte inkomstenbelasting 2009" = Aangifte inkomstenbelasting 2009
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"APU" = CANON iMAGE GATEWAY Album Plugin Utility
"ATI Display Driver" = ATI Display Driver
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Creative Removable Disk Manager" = Creative Beheer van verwijderbare schijf
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 3.6
"ENTERPRISER" = Microsoft Office Enterprise 2007
"EOS Utility" = Canon Utilities EOS Utility
"Free Easy Burner_is1" = Free Easy Burner V 3.8
"ft_Transport Tycoon Deluxe" = Transport Tycoon Deluxe
"HP Photo & Imaging" = HP Image Zone 4.7
"Huur- en zorgtoeslag 2009" = Huur- en zorgtoeslag 2009
"InstallShield_{015D937D-9D52-45A4-BDAA-2413938C0564}" = O2Micro MemoryCardBus Windows Driver
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MyCamera" = Canon Utilities MyCamera
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Style Editor" = Canon Utilities Picture Style Editor
"PokerStars" = PokerStars
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SysInfo" = Creative-systeeminformatie
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"WFTK" = Canon Utilities WFT-E1/E2/E3/E4 Utility
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows Mobile Device Handbook" = Windows Mobile-hulpbronnen
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 28-7-2010 15:51:17 | Computer Name = LAPTOP-user_name | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 28-7-2010 15:51:17 | Computer Name = LAPTOP-user_name | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 29-7-2010 15:56:24 | Computer Name = LAPTOP-user_name | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2-8-2010 15:35:32 | Computer Name = LAPTOP-user_name | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2-8-2010 17:18:01 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x7e2d49fe.

Error - 2-8-2010 17:19:33 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x7e2d49fe.

Error - 2-8-2010 17:20:09 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x7e2d49fe.

Error - 3-8-2010 11:31:07 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
Description = Faulting application alg.exe, version 5.1.2600.5512, faulting module
unknown, version 0.0.0.0, fault address 0x00040000.

Error - 3-8-2010 11:33:24 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1004
Description = Faulting application alg.exe, version 5.1.2600.5512, faulting module
unknown, version 0.0.0.0, fault address 0x00040000.

Error - 3-8-2010 17:09:08 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
Description = Faulting application gta-vc.exe, version 0.0.0.0, faulting module
gta-vc.exe, version 0.0.0.0, fault address 0x00260fbd.

[ System Events ]
Error - 3-8-2010 1:53:09 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 3-8-2010 11:30:35 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 3-8-2010 11:32:53 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3-8-2010 13:51:44 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 3-8-2010 13:52:26 | Computer Name = LAPTOP-user_name | Source = System Error | ID = 1003
Description = Error code 10000050, parameter1 e3f0824c, parameter2 00000001, parameter3
bf9ce566, parameter4 00000001.

Error - 4-8-2010 1:10:25 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 4-8-2010 1:35:15 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 4-8-2010 1:56:27 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 4-8-2010 1:58:43 | Computer Name = LAPTOP-user_name | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4-8-2010 1:58:43 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

< End of report >

jimvanstevens · Aug 4, 2010

OTL.TXT is to long so I attached it

Broni · Aug 4, 2010

Good news then

What happened to AVG?

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.

========================================================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No CLSID value found.
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

jimvanstevens · Aug 5, 2010

The log after the quick fix:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: user_name
->Temp folder emptied: 9325431 bytes
->Temporary Internet Files folder emptied: 622836 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 92670538 bytes
->Flash cache emptied: 4844 bytes

User: user_name
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2424966 bytes
->Flash cache emptied: 953 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 100,00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: user_name
->Flash cache emptied: 0 bytes

User: user_name
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0,00 mb

OTL by OldTimer - Version 3.2.9.1 log created on 08052010_070745

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

jimvanstevens · Aug 5, 2010

And the OTL log...

avvg is uninstalled 2days ago because it wouldnt disable or stop... any tips for a new virus scanner

Broni · Aug 5, 2010

Just to make sure, no AVG leftovers are present, run AVG Remover: http://www.avg.com/us-en/download-tools, if you didn't use it to uninstall AVG.

Download and install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

Then, last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

Disable your active antivirus program.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

jimvanstevens · Aug 5, 2010

Security check log... after this i will run the temp file cleaner and the kaspersky virus scanner, then i will install avira (is this a problem to install the virus scanner as latest?)

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 21
Adobe Flash Player 10.0.32.18
Adobe Reader 9 - Nederlands
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Broni · Aug 5, 2010

is this a problem to install the virus scanner as latest?

Not at all. Make sure, Windows firewall is up.

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

jimvanstevens · Aug 5, 2010

OK i updated adobe reader

Should i also update my internet explorer?
Im running firefox...but just in case someone uses it?

Broni · Aug 5, 2010

Absolutely. At least IE7.

jimvanstevens · Aug 5, 2010

I used tfc and kaspersky... it only found the .dat files (from mbrcheck) with the virus...after i deleted those files it didn't find any virusses
so that looks good

I update internet explorer to version 8.0.6001.18702
Installed avira anti virus

I also have a usb hard drive... do you have any scanning tips for this device?
Is it possible that the mbr virus is on the disk? (i dont think so because there is no operating system on it)

Broni · Aug 5, 2010

If you don't have anything important on that stick, format it.
If you do have some important stuff, scan it with your AV program.

Now...

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

jimvanstevens · Aug 6, 2010

I used OTL to clean up...
Turned off system resotre...restarted and turned it back on...

I will run defrag...

I think my computer is clean and safe enough now!

Thank you very much for your help and your time!!!

Broni · Aug 6, 2010

Yes!!

Good luck and stay safe

Solved Random sound playing virus (hidden iexplorer.exe)

Posts: 14 +0

Attachments

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Attachments

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Posts: 14 +0

Attachments

Posts: 56,041 +516

Posts: 14 +0

Posts: 14 +0

Attachments

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Posts: 14 +0

Posts: 56,041 +516

Similar threads