TechSpot

System Check virus

By peterwright1234
Jan 20, 2012
  1. hey ive got the system check virus. before finding this forum i came across some other removal guides. so far ive used what i think was a cracked activation code for system check. my desktop is restored but i want expert help to really clean up. heres the logs

    mbam:

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.20.01

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 6.0.2900.2180
    Owner :: COMPUTER [administrator]

    1/19/2012 10:57:28 PM
    mbam-log-2012-01-19 (22-57-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 204769
    Time elapsed: 19 minute(s), 48 second(s)

    Memory Processes Detected: 1
    C:\Documents and Settings\All Users\Application Data\VFRni75IoSd2WT.exe (Rogue.FakeAlert) -> 756 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VFRni75IoSd2WT (Rogue.FakeAlert) -> Data: C:\Documents and Settings\All Users\Application Data\VFRni75IoSd2WT.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\VFRni75IoSd2WT.exe (Rogue.FakeAlert) -> Delete on reboot.

    (end)


    gmer:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-19 23:30:41
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST325082 rev.3.AA
    Running: prwby5mb.exe; Driver: C:\DOCUME~1\OWNER~1.COM\LOCALS~1\Temp\pgliqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA137CBDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA137CA45]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA13D17A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)

    ---- EOF - GMER 1.0.15 ----


    dds:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180
    Run by Owner at 23:32:25 on 2012-01-19
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.395 [GMT -8:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall Plus *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Digital Media Reader\readericon45G.exe
    C:\WINDOWS\zHotkey.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\BigFix\bigfix.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rsvp.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
    mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: McAfee Anti-Phishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
    mRun: [CHotkey] zHotkey.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] sttray.exe
    mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
    mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
    mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
    mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
    mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
    mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
    mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
    mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
    mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
    mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
    mRun: [cDNVHQQjYlda.exe] c:\documents and settings\all users\application data\cDNVHQQjYlda.exe
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{A2FED552-FE35-4A20-9783-F84411D3330F} : DhcpNameServer = 192.168.0.1
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\owner.computer\application data\mozilla\firefox\profiles\ta581wxw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-19 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-19 314456]
    R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2011-4-30 80640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-19 20568]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-19 44768]
    R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2011-4-30 126976]
    R2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2011-4-30 221184]
    R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2011-4-30 122368]
    R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2011-4-30 114464]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
    S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2011-4-30 245760]
    .
    =============== Created Last 30 ================
    .
    2012-01-20 06:44:02 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-20 06:44:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-20 06:38:58 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-01-20 06:38:42 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-20 06:38:29 -------- d-----w- c:\program files\AVAST Software
    2012-01-20 06:38:29 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2012-01-20 05:21:31 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
    2012-01-20 05:14:46 -------- d-----w- c:\documents and settings\owner.computer\application data\Malwarebytes
    2012-01-20 05:14:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-01-10 15:51:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-01-10 15:51:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-10 15:51:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-10 15:51:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    .
    ==================== Find3M ====================
    .
    2011-11-29 16:01:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ============= FINISH: 23:35:04.28 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! This malware is really making the rounds! I will help you, but must ask that no other scans be done other than those I request;
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    About: AV: avast! Antivirus and AV: McAfee VirusScan. Please decide which you want to keep and uninstall the other. You did not need Avast if you had McAfee. Reboot when finished.
    ====================================
    There is another log from DDS- it is named Attach.txt. Please find it, do not zip and paste it into the next reply.
    =====================================
    You have a rogue malware infection, but I'm not sure it's System Check, so I'd like you to run the following:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ==================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  3. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    hey thanks for the quick reply. im not gonna be back at home where the computers at until sunday night so ill read thoroughly through the next steps and get back to you. one thing i dont know is if i have the full version of mcaffe. do i still need to uninstall it?. -peter
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You need to uninstall either McAfee or Avast. You should not have 2 antivirus programs running.

    Post logs when done.
     
  5. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    well im much busier than expected. i wont be able to work on the computer untill tomorow night. im sorry. please dont lose interest in helping me.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- post when you can.
     
  7. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    combofix:

    ComboFix 12-01-23.02 - Owner 01/25/2012 20:46:39.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.483 [GMT -8:00]
    Running from: c:\documents and settings\Owner.computer\My Documents\Downloads\ComboFix.exe
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall Plus *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\~VFRni75IoSd2WT
    c:\documents and settings\All Users\Application Data\~VFRni75IoSd2WTr
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\VFRni75IoSd2WT
    c:\documents and settings\Owner.computer\Desktop\System Check.lnk
    c:\documents and settings\Owner.computer\Start Menu\Programs\System Check
    c:\documents and settings\Owner.computer\Start Menu\Programs\System Check\System Check.lnk
    c:\documents and settings\Owner.computer\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\windows\kb913800.exe
    c:\windows\system32\SET4C6.tmp
    c:\windows\Update.bat
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-20 06:44 . 2012-01-20 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-20 06:44 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-20 06:38 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-20 06:38 . 2012-01-26 04:10 -------- d-----w- c:\program files\AVAST Software
    2012-01-20 06:38 . 2012-01-20 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-01-20 05:21 . 2012-01-20 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\Owner.computer\Application Data\Malwarebytes
    2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-10 15:51 . 2012-01-10 15:51 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-10 15:51 . 2012-01-10 15:51 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-10 15:51 . 2012-01-10 15:51 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-10 15:51 . 2012-01-10 15:51 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-29 16:01 . 2011-11-29 16:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-10 15:51 . 2011-05-01 05:27 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-05-01 169984]
    "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
    "CHotkey"="zHotkey.exe" [2004-12-09 550912]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
    "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
    "VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
    "OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
    "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
    "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
    "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
    "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
    "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
    "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
    "EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    BigFix.lnk - c:\program files\BigFix\bigfix.exe [2011-4-30 2168360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    .
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 8:23 PM 39048]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Owner.computer\Application Data\Mozilla\Firefox\Profiles\ta581wxw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
    HKLM-Run-SigmatelSysTrayApp - sttray.exe
    HKLM-Run-cDNVHQQjYlda.exe - c:\documents and settings\All Users\Application Data\cDNVHQQjYlda.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-25 20:50
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(776)
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2012-01-25 20:51:23
    ComboFix-quarantined-files.txt 2012-01-26 04:51
    .
    Pre-Run: 224,487,829,504 bytes free
    Post-Run: 224,693,268,480 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 8F90D35CFA5EA48544429C3B395769F5

    eset scan:

    C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP261\A0013730.exe a variant of Win32/Kryptik.ZDN trojan
    C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP262\A0015735.exe a variant of Win32/Kryptik.ZDN trojan
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Repeating:
    ==================================
    There is a deletion in Combofix that indicates you may have a flash drive infection. (Drive D) These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    ================================
    Combofix quarantined several System Check entries. No active entries in the Eset scan. The 2 System Volume entries are where restore point are kept. The infection isn't active in the system. I will have you remove the old restore points and create new one when we finish.
    -------------------------------
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    DDS::
    mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    mRun: [cDNVHQQjYlda.exe] c:\documents and settings\all users\application data\cDNVHQQjYlda.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    Extra::
    File::
    c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    Firefox::
    Firefox-: - Profile- c:\documents and settings\owner.computer\application data\mozilla\firefox\profiles\ta581wxw.default\
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"=-
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Suggest you remove this from Startup:
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    BigFix.lnk - c:\program files\BigFix\bigfix.exe [2011-4-30 2168360]
    ======================
    Do any of the malware problems remain?
     
  9. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    thanks ill continue with this tomorow night but for now heres the attach file:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/30/2011 9:10:00 PM
    System Uptime: 1/19/2012 11:20:47 PM (0 hours ago)
    .
    Motherboard: Intel Corporation | | DG965LV
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 228 GiB total, 209.42 GiB free.
    D: is FIXED (FAT32) - 5 GiB total, 2.109 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP180: 10/22/2011 2:42:14 PM - System Checkpoint
    RP181: 10/23/2011 2:51:03 PM - System Checkpoint
    RP182: 10/24/2011 4:54:19 PM - System Checkpoint
    RP183: 10/25/2011 5:37:49 PM - System Checkpoint
    RP184: 10/26/2011 7:22:09 PM - System Checkpoint
    RP185: 10/27/2011 10:57:59 PM - System Checkpoint
    RP186: 10/29/2011 8:29:27 AM - System Checkpoint
    RP187: 10/30/2011 10:06:23 AM - System Checkpoint
    RP188: 10/31/2011 11:02:54 AM - System Checkpoint
    RP189: 11/1/2011 11:42:39 AM - System Checkpoint
    RP190: 11/2/2011 11:46:26 AM - System Checkpoint
    RP191: 11/3/2011 11:54:38 AM - System Checkpoint
    RP192: 11/4/2011 12:02:02 PM - System Checkpoint
    RP193: 11/6/2011 8:48:28 PM - System Checkpoint
    RP194: 11/7/2011 9:34:28 PM - System Checkpoint
    RP195: 11/9/2011 11:11:45 AM - System Checkpoint
    RP196: 11/9/2011 11:20:25 PM - Software Distribution Service 3.0
    RP197: 11/11/2011 12:10:28 AM - System Checkpoint
    RP198: 11/12/2011 1:10:27 AM - System Checkpoint
    RP199: 11/13/2011 2:10:27 AM - System Checkpoint
    RP200: 11/14/2011 8:19:16 AM - System Checkpoint
    RP201: 11/15/2011 8:53:51 AM - System Checkpoint
    RP202: 11/16/2011 9:41:06 AM - System Checkpoint
    RP203: 11/17/2011 9:51:58 AM - System Checkpoint
    RP204: 11/18/2011 10:12:46 AM - System Checkpoint
    RP205: 11/19/2011 11:12:46 AM - System Checkpoint
    RP206: 11/20/2011 11:14:33 AM - System Checkpoint
    RP207: 11/21/2011 12:16:20 PM - System Checkpoint
    RP208: 11/22/2011 5:11:03 PM - System Checkpoint
    RP209: 11/23/2011 6:02:08 PM - System Checkpoint
    RP210: 11/24/2011 8:17:06 PM - System Checkpoint
    RP211: 11/26/2011 8:57:00 AM - System Checkpoint
    RP212: 11/27/2011 9:32:23 AM - System Checkpoint
    RP213: 11/28/2011 11:16:47 AM - System Checkpoint
    RP214: 11/29/2011 4:41:57 PM - System Checkpoint
    RP215: 11/30/2011 6:22:36 PM - System Checkpoint
    RP216: 12/1/2011 6:55:40 PM - System Checkpoint
    RP217: 12/2/2011 8:24:42 PM - System Checkpoint
    RP218: 12/3/2011 9:01:06 PM - System Checkpoint
    RP219: 12/4/2011 9:49:57 PM - System Checkpoint
    RP220: 12/5/2011 10:22:52 PM - System Checkpoint
    RP221: 12/7/2011 10:06:22 AM - System Checkpoint
    RP222: 12/8/2011 1:09:45 PM - System Checkpoint
    RP223: 12/9/2011 1:27:36 PM - System Checkpoint
    RP224: 12/10/2011 2:14:05 PM - System Checkpoint
    RP225: 12/11/2011 5:01:00 PM - System Checkpoint
    RP226: 12/12/2011 7:26:06 PM - System Checkpoint
    RP227: 12/13/2011 8:00:38 PM - System Checkpoint
    RP228: 12/14/2011 8:42:19 PM - System Checkpoint
    RP229: 12/14/2011 10:48:24 PM - Software Distribution Service 3.0
    RP230: 12/15/2011 10:53:11 PM - System Checkpoint
    RP231: 12/17/2011 10:32:40 AM - System Checkpoint
    RP232: 12/18/2011 1:02:03 PM - System Checkpoint
    RP233: 12/19/2011 3:54:59 PM - System Checkpoint
    RP234: 12/20/2011 4:49:41 PM - System Checkpoint
    RP235: 12/21/2011 5:54:22 PM - System Checkpoint
    RP236: 12/22/2011 6:36:22 PM - System Checkpoint
    RP237: 12/23/2011 7:16:27 PM - System Checkpoint
    RP238: 12/24/2011 7:56:42 PM - System Checkpoint
    RP239: 12/25/2011 8:47:23 PM - System Checkpoint
    RP240: 12/26/2011 9:56:22 PM - System Checkpoint
    RP241: 12/27/2011 10:01:48 PM - System Checkpoint
    RP242: 12/28/2011 10:25:21 PM - System Checkpoint
    RP243: 12/29/2011 10:53:53 PM - System Checkpoint
    RP244: 12/31/2011 8:30:26 AM - System Checkpoint
    RP245: 1/1/2012 10:02:56 AM - System Checkpoint
    RP246: 1/2/2012 10:59:32 AM - System Checkpoint
    RP247: 1/3/2012 7:53:49 PM - System Checkpoint
    RP248: 1/4/2012 8:15:18 PM - System Checkpoint
    RP249: 1/5/2012 8:38:47 PM - System Checkpoint
    RP250: 1/6/2012 9:38:48 PM - System Checkpoint
    RP251: 1/7/2012 10:38:48 PM - System Checkpoint
    RP252: 1/8/2012 11:38:47 PM - System Checkpoint
    RP253: 1/10/2012 8:20:00 AM - System Checkpoint
    RP254: 1/11/2012 9:12:59 AM - Software Distribution Service 3.0
    RP255: 1/12/2012 10:01:27 AM - System Checkpoint
    RP256: 1/13/2012 10:07:24 AM - System Checkpoint
    RP257: 1/14/2012 10:44:26 AM - System Checkpoint
    RP258: 1/15/2012 11:22:38 AM - System Checkpoint
    RP259: 1/16/2012 12:16:01 PM - System Checkpoint
    RP260: 1/17/2012 2:08:47 PM - System Checkpoint
    RP261: 1/18/2012 9:56:16 PM - System Checkpoint
    RP262: 1/19/2012 10:38:29 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    ABBYY FineReader 6.0 Sprint
    Adobe Flash Player 11 Plugin
    Adobe Reader 7.0
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL You've Got Pictures Screensaver
    ArcSoft PhotoImpression 5
    avast! Free Antivirus
    BigFix
    Browser Address Error Redirector
    Canon MP470 series
    Canon MP470 series User Registration
    Digital Media Reader
    DVD Solution
    EPSON Attach To Email
    EPSON Copy Utility 3
    EPSON Event Manager
    EPSON Perfection V100 Photo Scanner Driver Update
    EPSON Perfection V100P User's Guide
    EPSON Scan
    EPSON Scan Assistant
    Google Desktop
    Google Toolbar for Internet Explorer
    gtw_logo
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB888795)
    Hotfix for Windows XP (KB891593)
    Hotfix for Windows XP (KB893357)
    Hotfix for Windows XP (KB895953)
    Hotfix for Windows XP (KB895961)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB899337)
    Hotfix for Windows XP (KB899510)
    Hotfix for Windows XP (KB902841)
    Hotfix for Windows XP (KB906569)
    Hotfix for Windows XP (KB909095)
    Hotfix for Windows XP (KB910728)
    Hotfix for Windows XP (KB912024)
    Hotfix for Windows XP (KB914906)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    Intel Audio Studio 2.0
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Interface
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections Drivers
    Intel(R) Quick Resume Technology Drivers
    Intel® Viiv™ Software
    J2SE Runtime Environment 5.0 Update 2
    Malwarebytes Anti-Malware version 1.60.0.1800
    McAfee Uninstall Wizard
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Away Mode
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Digital Image Starter Edition 2006
    Microsoft Digital Image Starter Edition 2006 Editor
    Microsoft Digital Image Starter Edition 2006 Library
    Microsoft Money 2006
    Microsoft Office Standard Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox 9.0.1 (x86 en-US)
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Multimedia Keyboard Driver
    Napster Burn Engine
    Power2Go 4.0
    PowerDVD
    QuickTime
    RealPlayer Basic
    Recovery Software Suite Gateway
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917537)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    SigmaTel Audio
    Soft Data Fax Modem with SmartCP
    Sonic Encoders
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Media Player 10 (KB910393)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB912945)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Viewpoint Media Player
    WebFldrs XP
    Windows Genuine Advantage Validation Tool
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows XP Hotfix - KB834707
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    Windows XP Media Center Edition 2005 KB2502898
    Windows XP Media Center Edition 2005 KB2619340
    Windows XP Media Center Edition 2005 KB2628259
    Windows XP Media Center Edition 2005 KB914548
    Windows XP Media Center Edition 2005 KB973768
    WinRAR 4.01 (32-bit)
     
  10. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    ==== Event Viewer Messages From Past Week ========
    .
    1/18/2012 9:59:53 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 645 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Edit: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye
     
  11. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    1/18/2012 9:36:45 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 138 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Edit continued: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye

    1/18/2012 8:46:44 AM, error: PlugPlayManager [12] - The device 'Standard floppy disk controller' (ACPI\PNP0700\4&12686f5b&0) disappeared from the system without first being prepared for removal.
     
  12. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    1/18/2012 10:41:43 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 645 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Edit continues: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye
     
  13. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    1/18/2012 10:18:47 PM, error: Service Control Manager [7031] - The Intel(R) Viiv(TM) Media Server service terminated unexpectedly. It has done this 645 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Edit continues: The error above has occurred every 8 seconds on 1/18/2012 for total of 645 times. All perameters are identical. The repeats have been deleted by Bobbye

    ==== End Of File ===========================
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Peter, as you have seen, I have deleted the excess errors for the Intel® Viiv™ Software
    Something for it was starting, then ending in 1/18 every 8 seconds.Here is information from Intel about this:

    This is the Service it refers to: O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

    My advice woud be to click on Start> Run> type in services.msc> Enter> look for the mediaserver and double click on it> Change the Startup Type to Disabled> Stop the Service> Apply> OK Exit Services and reboot the computer. You can check the Event viewer to see if is stopps all the 600+ Cpu high usage reported by others.
    ============================================
    Please follow any previous instructions I have given you regarding the antivirus, Java update, Flash Disinfector. Combofix confirmed and removed some System Check Entries. Please print out the following and go through in the order I have given:
    If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners

    Note: You may not experience all of the below, but it is important to tell me what problems you do have.
    • System Check is a fake (Rogue) computer analysis and optimization program.
    • The 'alerts' tell you the problems have lead to corrupt and missing data
    • It will display false error messages and security warnings.
    • It "hides" Icons, desktop, programs and files so that they appear to be missing and some programs can't be run
    • This can be installed through hacked sites that exploit vulnerabilities on the system or through fake online scanner pages
    • The malware is configured to automatically start when you logon to Windows.
    • It can also be started if you click on any of these alerts.
    ============================================
    I am not comfortable with the use of the crack registry code and would like to proceed as follows:

    Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
    ------------------------You may skip steps #1, ,6 & 7 is they do not apply.............................
    The following can be run first to allow you to 'see' the programs, files,etc. But it is important that you understand that this does not remove the malware, only the attribute to hide these features. So it is important that you continue with the cleaning:
    1. Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
    ================================
    2. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.
    =======================================
    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after runningRKilll as the malware programs will start again.
    ================================
    4. This malware frequently comes with the TDSSrootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    5. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheckk Word Wrap before copying the log to paste in your next reply.
    ==============================
    5. Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
    For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
    =====================================
    6. Some items may not show on the Start menu. To add them back:
    • Right click on Start> Properties
    • Taskbar and Start Menu Properties screen appears
    • choose Start Menu tab> Click on Customize
    • For Windows XP> Choose Advanced tab
    • Check the items you want back on the Start Menu
    • When finished> click on OK> Apply and close.
    ====================================
    You can now reboot back into Normal Mode.

    Logs in next reply please.
     
  15. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    really busy again. ill get back to you within the next couple days. thanks.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Thanks for letting me know. Post when ready.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to close the thread. If you still need help, please send a PM.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thread reopened at member's request.
     
  19. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    as for problems i notice, there are none. i dont see any sign of an active virus.

    heres combo.txt:

    ComboFix 12-02-12.01 - Owner 02/12/2012 11:30:58.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.511 [GMT -8:00]
    Running from: c:\documents and settings\Owner.computer\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner.computer\Desktop\CFScript.txt
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall Plus *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    FILE ::
    "c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk
    c:\program files\bigfix\bigfix.exe
    c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    c:\windows\Creator\Remind_XP.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-12 19:02 . 2012-02-12 19:02 -------- d-----w- c:\documents and settings\Owner.computer\Application Data\SampleView
    2012-02-12 18:57 . 2012-02-12 18:57 -------- d-----w- c:\program files\Common Files\Java
    2012-02-12 18:57 . 2012-02-12 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-02-12 18:57 . 2012-02-12 18:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-12 18:56 . 2012-02-12 18:56 -------- d-----w- c:\program files\Java
    2012-01-26 04:58 . 2012-01-26 04:58 -------- d-----w- c:\program files\ESET
    2012-01-26 04:56 . 2012-01-26 04:56 -------- d-----w- c:\documents and settings\IUSR_NMPR\Application Data\McAfee.com Personal Firewall
    2012-01-20 06:44 . 2012-01-20 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-20 06:44 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-20 06:38 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-20 06:38 . 2012-01-26 04:10 -------- d-----w- c:\program files\AVAST Software
    2012-01-20 06:38 . 2012-01-20 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-01-20 05:21 . 2012-01-20 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\Owner.computer\Application Data\Malwarebytes
    2012-01-20 05:14 . 2012-01-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-29 16:01 . 2011-11-29 16:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-10 15:51 . 2011-05-01 05:27 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-26_04.50.20 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-02-12 19:23 . 2012-02-12 19:23 16384 c:\windows\temp\Perflib_Perfdata_58c.dat
    + 2012-02-12 18:57 . 2012-02-12 18:56 157472 c:\windows\system32\javaws.exe
    + 2012-02-12 18:57 . 2012-02-12 18:56 149280 c:\windows\system32\javaw.exe
    + 2012-02-12 18:57 . 2012-02-12 18:56 149280 c:\windows\system32\java.exe
    + 2012-02-12 18:57 . 2012-02-12 18:57 203776 c:\windows\Installer\4f481.msi
    + 2012-02-12 18:56 . 2012-02-12 18:56 901120 c:\windows\Installer\4f47b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-05-01 169984]
    "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
    "CHotkey"="zHotkey.exe" [2004-12-09 550912]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
    "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
    "VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
    "OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
    "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
    "MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 212992]
    "MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
    "MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
    "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
    "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
    "EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    .
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 8:23 PM 39048]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Owner.computer\Application Data\Mozilla\Firefox\Profiles\ta581wxw.default\
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-12 11:34
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-02-12 11:35:51
    ComboFix-quarantined-files.txt 2012-02-12 19:35
    ComboFix2.txt 2012-01-26 04:51
    .
    Pre-Run: 224,243,695,616 bytes free
    Post-Run: 224,240,619,520 bytes free
    .
    - - End Of File - - 096DCC8085845A3DAD61C05AF93EC571



    rkill log:

    rkill:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 02/12/2012 at 14:54:01.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 02/12/2012 at 14:54:03.


    tdss didnt find anything and didnt produce a log.

    heres the malwarebytes log:


    malwarebytes:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.12.05

    Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 6.0.2900.2180
    Administrator :: COMPUTER [administrator]

    2/12/2012 2:59:19 PM
    mbam-log-2012-02-12 (14-59-19).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System |
    Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 266575
    Time elapsed: 19 minute(s), 10 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\System Volume
    Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP261\A0013730
    .exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume
    Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP262\A0015735
    .exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.

    (end)


    if ive forgotten anything let me know. thanks -peter
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Peter, these logs look good. The 2 entries for System Volume in Eset are for entries that have been handled and are no longer active in the system. I will have you set a new restore point and drop the old restore point when we finish.

    Have you rebooted back into Normal Mode? If yes, the system is clean and you can remove he cleaning tools. If no we will need to find out why.
    -------------------------------------------------
    Updates> Be sure both of the following are current:
    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
    Java(TM) > Current is v6u30> Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    =================================
    If all functions have been restored and there are no new problems, go ahead with this:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any questions.
     
  21. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    when i type combofix/uninstall into the run prompt it says it cant find it. any other way to uninstall?
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    See if it is still here: Running from: c:\documents and settings\Owner.computer\My Documents\Downloads\ComboFix.exe
     
  23. peterwright1234

    peterwright1234 TS Rookie Topic Starter

    awesome. i cant thank you enough for your patience in helping me. you're king of the internet and pimp of the year. thank you!
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I must admit that I have been called a lot of things on this board, but never 'pimp of the year'!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...