Solved System Check virus

[peterwright1234]

hey ive got the system check virus. before finding this forum i came across some other removal guides. so far ive used what i think was a cracked activation code for system check. my desktop is restored but i want expert help to really clean up. heres the logs

mbam:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.20.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Owner :: COMPUTER [administrator]

1/19/2012 10:57:28 PM
mbam-log-2012-01-19 (22-57-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204769
Time elapsed: 19 minute(s), 48 second(s)

Memory Processes Detected: 1
C:\Documents and Settings\All Users\Application Data\VFRni75IoSd2WT.exe (Rogue.FakeAlert) -> 756 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VFRni75IoSd2WT (Rogue.FakeAlert) -> Data: C:\Documents and Settings\All Users\Application Data\VFRni75IoSd2WT.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\VFRni75IoSd2WT.exe (Rogue.FakeAlert) -> Delete on reboot.

(end)


gmer:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-19 23:30:41
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST325082 rev.3.AA
Running: prwby5mb.exe; Driver: C:\DOCUME~1\OWNER~1.COM\LOCALS~1\Temp\pgliqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA137CBDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA137CA45]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA13D17A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)

---- EOF - GMER 1.0.15 ----


dds:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Owner at 23:32:25 on 2012-01-19
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.395 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Anti-Phishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [CHotkey] zHotkey.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [cDNVHQQjYlda.exe] c:\documents and settings\all users\application data\cDNVHQQjYlda.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A2FED552-FE35-4A20-9783-F84411D3330F} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.computer\application data\mozilla\firefox\profiles\ta581wxw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-19 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-19 314456]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2011-4-30 80640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-19 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-19 44768]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2011-4-30 126976]
R2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2011-4-30 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2011-4-30 122368]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2011-4-30 114464]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2011-4-30 245760]
.
=============== Created Last 30 ================
.
2012-01-20 06:44:02 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 06:44:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 06:38:58 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-20 06:38:42 41184 ----a-w- c:\windows\avastSS.scr
2012-01-20 06:38:29 -------- d-----w- c:\program files\AVAST Software
2012-01-20 06:38:29 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-01-20 05:21:31 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-01-20 05:14:46 -------- d-----w- c:\documents and settings\owner.computer\application data\Malwarebytes
2012-01-20 05:14:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-10 15:51:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-10 15:51:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-10 15:51:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-10 15:51:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2011-11-29 16:01:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 23:35:04.28 ===============

 

[Bobbye]

Welcome to TechSpot! This malware is really making the rounds! I will help you, but must ask that no other scans be done other than those I request;
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
About: AV: avast! Antivirus and AV: McAfee VirusScan. Please decide which you want to keep and uninstall the other. You did not need Avast if you had McAfee. Reboot when finished.
====================================
There is another log from DDS- it is named Attach.txt. Please find it, do not zip and paste it into the next reply.
=====================================
You have a rogue malware infection, but I'm not sure it's System Check, so I'd like you to run the following:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[peterwright1234]

hey thanks for the quick reply. im not gonna be back at home where the computers at until sunday night so ill read thoroughly through the next steps and get back to you. one thing i dont know is if i have the full version of mcaffe. do i still need to uninstall it?. -peter

 

[Bobbye]

You need to uninstall either McAfee or Avast. You should not have 2 antivirus programs running.

Post logs when done.

 

[peterwright1234]

well im much busier than expected. i wont be able to work on the computer untill tomorow night. im sorry. please dont lose interest in helping me.

 

[Bobbye]

Okay- post when you can.

 

[peterwright1234]

combofix:

ComboFix 12-01-23.02 - Owner 01/25/2012 20:46:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.483 [GMT -8:00]
Running from: c:\documents and settings\Owner.computer\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\~VFRni75IoSd2WT
c:\documents and settings\All Users\Application Data\~VFRni75IoSd2WTr
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\VFRni75IoSd2WT
c:\documents and settings\Owner.computer\Desktop\System Check.lnk
c:\documents and settings\Owner.computer\Start Menu\Programs\System Check
c:\documents and settings\Owner.computer\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Owner.computer\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\kb913800.exe
c:\windows\system32\SET4C6.tmp
c:\windows\Update.bat
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
.
.
2012-01-20 06:44 . 2012-01-20 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 06:44 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 06:38 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-20 06:38 . 2012-01-26 04:10 -------- d-----w- c:\program files\AVAST Software
2012-01-20 06:38 . 2012-01-20 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-01-20 05:21 . 2012-01-20 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\Owner.computer\Application Data\Malwarebytes
2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 15:51 . 2012-01-10 15:51 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 15:51 . 2012-01-10 15:51 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 15:51 . 2012-01-10 15:51 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 15:51 . 2012-01-10 15:51 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 16:01 . 2011-11-29 16:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-10 15:51 . 2011-05-01 05:27 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-05-01 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2011-4-30 2168360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
.
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 8:23 PM 39048]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Owner.computer\Application Data\Mozilla\Firefox\Profiles\ta581wxw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKLM-Run-cDNVHQQjYlda.exe - c:\documents and settings\All Users\Application Data\cDNVHQQjYlda.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-25 20:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-01-25 20:51:23
ComboFix-quarantined-files.txt 2012-01-26 04:51
.
Pre-Run: 224,487,829,504 bytes free
Post-Run: 224,693,268,480 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8F90D35CFA5EA48544429C3B395769F5

eset scan:

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP261\A0013730.exe a variant of Win32/Kryptik.ZDN trojan
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP262\A0015735.exe a variant of Win32/Kryptik.ZDN trojan

 

[Bobbye]

Repeating:

There is another log from DDS- it is named Attach.txt. Please find it, do not zip and paste it into the next reply.

==================================
There is a deletion in Combofix that indicates you may have a flash drive infection. (Drive D) These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
================================
Combofix quarantined several System Check entries. No active entries in the Eset scan. The 2 System Volume entries are where restore point are kept. The infection isn't active in the system. I will have you remove the old restore points and create new one when we finish.
-------------------------------
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
DDS::
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [cDNVHQQjYlda.exe] c:\documents and settings\all users\application data\cDNVHQQjYlda.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Extra::
File::
c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
Firefox::
Firefox-: - Profile- c:\documents and settings\owner.computer\application data\mozilla\firefox\profiles\ta581wxw.default\
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"=-
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Suggest you remove this from Startup:
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2011-4-30 2168360]
======================
Do any of the malware problems remain?

 

[peterwright1234]

thanks ill continue with this tomorow night but for now heres the attach file:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/30/2011 9:10:00 PM
System Uptime: 1/19/2012 11:20:47 PM (0 hours ago)
.
Motherboard: Intel Corporation | | DG965LV
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 228 GiB total, 209.42 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 2.109 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP180: 10/22/2011 2:42:14 PM - System Checkpoint
RP181: 10/23/2011 2:51:03 PM - System Checkpoint
RP182: 10/24/2011 4:54:19 PM - System Checkpoint
RP183: 10/25/2011 5:37:49 PM - System Checkpoint
RP184: 10/26/2011 7:22:09 PM - System Checkpoint
RP185: 10/27/2011 10:57:59 PM - System Checkpoint
RP186: 10/29/2011 8:29:27 AM - System Checkpoint
RP187: 10/30/2011 10:06:23 AM - System Checkpoint
RP188: 10/31/2011 11:02:54 AM - System Checkpoint
RP189: 11/1/2011 11:42:39 AM - System Checkpoint
RP190: 11/2/2011 11:46:26 AM - System Checkpoint
RP191: 11/3/2011 11:54:38 AM - System Checkpoint
RP192: 11/4/2011 12:02:02 PM - System Checkpoint
RP193: 11/6/2011 8:48:28 PM - System Checkpoint
RP194: 11/7/2011 9:34:28 PM - System Checkpoint
RP195: 11/9/2011 11:11:45 AM - System Checkpoint
RP196: 11/9/2011 11:20:25 PM - Software Distribution Service 3.0
RP197: 11/11/2011 12:10:28 AM - System Checkpoint
RP198: 11/12/2011 1:10:27 AM - System Checkpoint
RP199: 11/13/2011 2:10:27 AM - System Checkpoint
RP200: 11/14/2011 8:19:16 AM - System Checkpoint
RP201: 11/15/2011 8:53:51 AM - System Checkpoint
RP202: 11/16/2011 9:41:06 AM - System Checkpoint
RP203: 11/17/2011 9:51:58 AM - System Checkpoint
RP204: 11/18/2011 10:12:46 AM - System Checkpoint
RP205: 11/19/2011 11:12:46 AM - System Checkpoint
RP206: 11/20/2011 11:14:33 AM - System Checkpoint
RP207: 11/21/2011 12:16:20 PM - System Checkpoint
RP208: 11/22/2011 5:11:03 PM - System Checkpoint
RP209: 11/23/2011 6:02:08 PM - System Checkpoint
RP210: 11/24/2011 8:17:06 PM - System Checkpoint
RP211: 11/26/2011 8:57:00 AM - System Checkpoint
RP212: 11/27/2011 9:32:23 AM - System Checkpoint
RP213: 11/28/2011 11:16:47 AM - System Checkpoint
RP214: 11/29/2011 4:41:57 PM - System Checkpoint
RP215: 11/30/2011 6:22:36 PM - System Checkpoint
RP216: 12/1/2011 6:55:40 PM - System Checkpoint
RP217: 12/2/2011 8:24:42 PM - System Checkpoint
RP218: 12/3/2011 9:01:06 PM - System Checkpoint
RP219: 12/4/2011 9:49:57 PM - System Checkpoint
RP220: 12/5/2011 10:22:52 PM - System Checkpoint
RP221: 12/7/2011 10:06:22 AM - System Checkpoint
RP222: 12/8/2011 1:09:45 PM - System Checkpoint
RP223: 12/9/2011 1:27:36 PM - System Checkpoint
RP224: 12/10/2011 2:14:05 PM - System Checkpoint
RP225: 12/11/2011 5:01:00 PM - System Checkpoint
RP226: 12/12/2011 7:26:06 PM - System Checkpoint
RP227: 12/13/2011 8:00:38 PM - System Checkpoint
RP228: 12/14/2011 8:42:19 PM - System Checkpoint
RP229: 12/14/2011 10:48:24 PM - Software Distribution Service 3.0
RP230: 12/15/2011 10:53:11 PM - System Checkpoint
RP231: 12/17/2011 10:32:40 AM - System Checkpoint
RP232: 12/18/2011 1:02:03 PM - System Checkpoint
RP233: 12/19/2011 3:54:59 PM - System Checkpoint
RP234: 12/20/2011 4:49:41 PM - System Checkpoint
RP235: 12/21/2011 5:54:22 PM - System Checkpoint
RP236: 12/22/2011 6:36:22 PM - System Checkpoint
RP237: 12/23/2011 7:16:27 PM - System Checkpoint
RP238: 12/24/2011 7:56:42 PM - System Checkpoint
RP239: 12/25/2011 8:47:23 PM - System Checkpoint
RP240: 12/26/2011 9:56:22 PM - System Checkpoint
RP241: 12/27/2011 10:01:48 PM - System Checkpoint
RP242: 12/28/2011 10:25:21 PM - System Checkpoint
RP243: 12/29/2011 10:53:53 PM - System Checkpoint
RP244: 12/31/2011 8:30:26 AM - System Checkpoint
RP245: 1/1/2012 10:02:56 AM - System Checkpoint
RP246: 1/2/2012 10:59:32 AM - System Checkpoint
RP247: 1/3/2012 7:53:49 PM - System Checkpoint
RP248: 1/4/2012 8:15:18 PM - System Checkpoint
RP249: 1/5/2012 8:38:47 PM - System Checkpoint
RP250: 1/6/2012 9:38:48 PM - System Checkpoint
RP251: 1/7/2012 10:38:48 PM - System Checkpoint
RP252: 1/8/2012 11:38:47 PM - System Checkpoint
RP253: 1/10/2012 8:20:00 AM - System Checkpoint
RP254: 1/11/2012 9:12:59 AM - Software Distribution Service 3.0
RP255: 1/12/2012 10:01:27 AM - System Checkpoint
RP256: 1/13/2012 10:07:24 AM - System Checkpoint
RP257: 1/14/2012 10:44:26 AM - System Checkpoint
RP258: 1/15/2012 11:22:38 AM - System Checkpoint
RP259: 1/16/2012 12:16:01 PM - System Checkpoint
RP260: 1/17/2012 2:08:47 PM - System Checkpoint
RP261: 1/18/2012 9:56:16 PM - System Checkpoint
RP262: 1/19/2012 10:38:29 PM - avast! Free Antivirus Setup
.
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 11 Plugin
Adobe Reader 7.0
AOL Coach Version 2.0(Build:20041026.5 en)
AOL You've Got Pictures Screensaver
ArcSoft PhotoImpression 5
avast! Free Antivirus
BigFix
Browser Address Error Redirector
Canon MP470 series
Canon MP470 series User Registration
Digital Media Reader
DVD Solution
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Event Manager
EPSON Perfection V100 Photo Scanner Driver Update
EPSON Perfection V100P User's Guide
EPSON Scan
EPSON Scan Assistant
Google Desktop
Google Toolbar for Internet Explorer
gtw_logo
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel Audio Studio 2.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
J2SE Runtime Environment 5.0 Update 2
Malwarebytes Anti-Malware version 1.60.0.1800
McAfee Uninstall Wizard
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Away Mode
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Money 2006
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox 9.0.1 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia Keyboard Driver
Napster Burn Engine
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
Recovery Software Suite Gateway
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SigmaTel Audio
Soft Data Fax Modem with SmartCP
Sonic Encoders
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB914548
Windows XP Media Center Edition 2005 KB973768
WinRAR 4.01 (32-bit)

 

[peterwright1234]

==== Event Viewer Messages From Past Week ========
.
1/18/2012 9:59:53 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 645 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Edit: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye

 

[peterwright1234]

1/18/2012 9:36:45 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 138 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Edit continued: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye

1/18/2012 8:46:44 AM, error: PlugPlayManager [12] - The device 'Standard floppy disk controller' (ACPI\PNP0700\4&12686f5b&0) disappeared from the system without first being prepared for removal.

 

[peterwright1234]

1/18/2012 10:41:43 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 645 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Edit continues: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye

 

[peterwright1234]

1/18/2012 10:18:47 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 645 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Edit continues: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye

==== End Of File ===========================

 

[Bobbye]

Peter, as you have seen, I have deleted the excess errors for the Intel® Viiv™ Software
Something for it was starting, then ending in 1/18 every 8 seconds.Here is information from Intel about this:

This end-of-interactive support (EOIS) notification is effective August 17, 2009.
Intel® Core™2 Processor with Viiv™ Technology
End of interactive support announcement for Intel® Viiv™ Processor Technology
Note All existing support content for these products has been removed and are no longer available.
>>>>>>>>>>>>>Intel® Viiv™ Technology Media server<<<<<<<<<<<<<<<<<<<
http://www.intel.com/support/viiv/sb/CS-030544.htm?wapkw=
Name: Intel(R) Viiv(TM) Media Server (M1 Server)
Filename: mediaserver.exe
Description: Related to Intel® Alert Service from Intel Corporation.
Located in C:\Program Files\Intel\IntelDH\CCU\

This is the Service it refers to: O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

My advice woud be to click on Start> Run> type in services.msc> Enter> look for the mediaserver and double click on it> Change the Startup Type to Disabled> Stop the Service> Apply> OK Exit Services and reboot the computer. You can check the Event viewer to see if is stopps all the 600+ Cpu high usage reported by others.
============================================
Please follow any previous instructions I have given you regarding the antivirus, Java update, Flash Disinfector. Combofix confirmed and removed some System Check Entries. Please print out the following and go through in the order I have given:
If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners

Note: You may not experience all of the below, but it is important to tell me what problems you do have.

• System Check is a fake (Rogue) computer analysis and optimization program.
• The 'alerts' tell you the problems have lead to corrupt and missing data
• It will display false error messages and security warnings.
• It "hides" Icons, desktop, programs and files so that they appear to be missing and some programs can't be run
• This can be installed through hacked sites that exploit vulnerabilities on the system or through fake online scanner pages
• The malware is configured to automatically start when you logon to Windows.
• It can also be started if you click on any of these alerts.

============================================
I am not comfortable with the use of the crack registry code and would like to proceed as follows:

Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
------------------------You may skip steps #1, ,6 & 7 is they do not apply.............................
The following can be run first to allow you to 'see' the programs, files,etc. But it is important that you understand that this does not remove the malware, only the attribute to hide these features. So it is important that you continue with the cleaning:
1. Download Unhide.exe and save to the desktop.

• Double-click on Unhide.exe icon to run the program.
• This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
================================
2. Boot into Safe Mode with Networking

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

=======================================
3. To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after runningRKilll as the malware programs will start again.
================================
4. This malware frequently comes with the TDSSrootkit, so do the following:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
5. Update and rescan with Malwarebytes:

• Select Perform Full Scan on the Scanner tab
• Click on the Scan button.
• When scan has finished, you will see this image:
  
  
• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheckk Word Wrap before copying the log to paste in your next reply.

==============================
5. Correct Display Changes if needed:
If the desktop background is black or if the theme has been removed:
For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
=====================================
6. Some items may not show on the Start menu. To add them back:

• Right click on Start> Properties
• Taskbar and Start Menu Properties screen appears
• choose Start Menu tab> Click on Customize
• For Windows XP> Choose Advanced tab
• Check the items you want back on the Start Menu
• When finished> click on OK> Apply and close.

====================================
You can now reboot back into Normal Mode.

Logs in next reply please.

 

[peterwright1234]

really busy again. ill get back to you within the next couple days. thanks.

 

[Bobbye]

Okay. Thanks for letting me know. Post when ready.

 

[Bobbye]

I'm going to close the thread. If you still need help, please send a PM.

 

[Bobbye]

Thread reopened at member's request.

 

[peterwright1234]

as for problems i notice, there are none. i dont see any sign of an active virus.

heres combo.txt:

ComboFix 12-02-12.01 - Owner 02/12/2012 11:30:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.511 [GMT -8:00]
Running from: c:\documents and settings\Owner.computer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.computer\Desktop\CFScript.txt
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk
c:\program files\bigfix\bigfix.exe
c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
c:\windows\Creator\Remind_XP.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 19:02 . 2012-02-12 19:02 -------- d-----w- c:\documents and settings\Owner.computer\Application Data\SampleView
2012-02-12 18:57 . 2012-02-12 18:57 -------- d-----w- c:\program files\Common Files\Java
2012-02-12 18:57 . 2012-02-12 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-12 18:57 . 2012-02-12 18:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-12 18:56 . 2012-02-12 18:56 -------- d-----w- c:\program files\Java
2012-01-26 04:58 . 2012-01-26 04:58 -------- d-----w- c:\program files\ESET
2012-01-26 04:56 . 2012-01-26 04:56 -------- d-----w- c:\documents and settings\IUSR_NMPR\Application Data\McAfee.com Personal Firewall
2012-01-20 06:44 . 2012-01-20 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 06:44 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 06:38 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-20 06:38 . 2012-01-26 04:10 -------- d-----w- c:\program files\AVAST Software
2012-01-20 06:38 . 2012-01-20 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-01-20 05:21 . 2012-01-20 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\Owner.computer\Application Data\Malwarebytes
2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 16:01 . 2011-11-29 16:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-10 15:51 . 2011-05-01 05:27 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-26_04.50.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-12 19:23 . 2012-02-12 19:23 16384 c:\windows\temp\Perflib_Perfdata_58c.dat
+ 2012-02-12 18:57 . 2012-02-12 18:56 157472 c:\windows\system32\javaws.exe
+ 2012-02-12 18:57 . 2012-02-12 18:56 149280 c:\windows\system32\javaw.exe
+ 2012-02-12 18:57 . 2012-02-12 18:56 149280 c:\windows\system32\java.exe
+ 2012-02-12 18:57 . 2012-02-12 18:57 203776 c:\windows\Installer\4f481.msi
+ 2012-02-12 18:56 . 2012-02-12 18:56 901120 c:\windows\Installer\4f47b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-05-01 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
.
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 8:23 PM 39048]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Owner.computer\Application Data\Mozilla\Firefox\Profiles\ta581wxw.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-12 11:34
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-12 11:35:51
ComboFix-quarantined-files.txt 2012-02-12 19:35
ComboFix2.txt 2012-01-26 04:51
.
Pre-Run: 224,243,695,616 bytes free
Post-Run: 224,240,619,520 bytes free
.
- - End Of File - - 096DCC8085845A3DAD61C05AF93EC571



rkill log:

rkill:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/12/2012 at 14:54:01.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 02/12/2012 at 14:54:03.


tdss didnt find anything and didnt produce a log.

heres the malwarebytes log:


malwarebytes:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.12.05

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 6.0.2900.2180
Administrator :: COMPUTER [administrator]

2/12/2012 2:59:19 PM
mbam-log-2012-02-12 (14-59-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System |
Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 266575
Time elapsed: 19 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\System Volume
Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP261\A0013730
.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP262\A0015735
.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.

(end)


if ive forgotten anything let me know. thanks -peter

 

[Bobbye]

Peter, these logs look good. The 2 entries for System Volume in Eset are for entries that have been handled and are no longer active in the system. I will have you set a new restore point and drop the old restore point when we finish.

Have you rebooted back into Normal Mode? If yes, the system is clean and you can remove he cleaning tools. If no we will need to find out why.
-------------------------------------------------
Updates> Be sure both of the following are current:
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is v6u30> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
=================================
If all functions have been restored and there are no new problems, go ahead with this:

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any questions.

 

[peterwright1234]

when i type combofix/uninstall into the run prompt it says it cant find it. any other way to uninstall?

 

[Bobbye]

See if it is still here: Running from: c:\documents and settings\Owner.computer\My Documents\Downloads\ComboFix.exe

 

[peterwright1234]

awesome. i cant thank you enough for your patience in helping me. you're king of the internet and pimp of the year. thank you!

 

[Bobbye]

You're welcome. I must admit that I have been called a lot of things on this board, but never 'pimp of the year'!