[Active] ThinkPoint and autorun.inf usb - infected hard drive

brodie · Nov 20, 2010

Yesterday I very stupidly downloaded this "ThinkPoint" program that popped up claiming to be some Microsoft Essentials virus protection thing, which looked legit to me so I let it do it's thing. Soon enough I realised it was a virus - I couldn't access my desktop or anything, so I used the Task Manager to get online and see how I could remove it. I followed the steps to delete certain registry files and files within the Application Data on the hard drive. I've no idea if I managed to get rid of it all. Then today, I inserted my USB and low and behold, it had a virus on it (I used it a few days ago on another computer, which I'm guessing that's where it caught it from). Some autorun.inf - I googled it and some sites said to delete such and such from the usb drive, which I did, all the while my computer was going psycho.

Avira kept alerting me literally every ten seconds that there were new viruses - 15 new viruses found - I click remove - another 3 found - remove again - 7 more found and so on. I ran a scan but nothing came up. I ran a Malware scan, again nothing. I went into Avira (the Events tab, which had about 3000 errors listed) to see where exactly the file path was and a lot of them said system restore, so I followed some online steps to turn off system restore (deleting the history) then back on again. There were also some in the Microsoft Antimalware files in the App Data on the c:/ drive in Avira. I didn't go through them all, so unsure where else. Anyway, at random intervals my computer fan or something makes a really loud noise, like it does when you have too many things going at once and all the resources are being used. I'm also having trouble visiting a lot of different sites, Firefox keeps saying Reported Attack Page -

"This web page at 64.111.196.126 has been reported as an attack page and has been blocked based on your security preferences."

I don't think it's the website because it's doing it to all different once - this site included, twitter, etc.

Avira has stopped alerting me of viruses every ten seconds, but it still does it maybe once an hour or so. Sorry if any of the above is confusing. I'm running Windows XP sp2 (I tried installing sp3 the other day, but every time I went to the microsoft update site, I kept getting the 'enable user data persistence" error 0x800A0046. Which, no matter what I tried, I couldn't get it working, so I just did a system restore to undo sp3.

If anyone can help out, it would be greatly appreciated! Thanks.

crunchie · Nov 20, 2010

Please read the directions given here and when done, post the requested logs.
Please paste the logs, do not attach them.

brodie · Nov 20, 2010

Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5104

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

20/11/2010 10:46:57 PM
mbam-log-2010-11-20 (22-46-57).txt

Scan type: Quick scan
Objects scanned: 153490
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-20 22:53:19
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6E040L0 rev.NAR61HA0
Running: hk4rm6i4.exe; Driver: C:\DOCUME~1\Debbie\LOCALS~1\Temp\uxtdikod.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Debbie at 22:54:34.04 on Sat 20/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

============== Running Processes ===============

============== Pseudo HJT Report ===============

usearch page = hxxp://www.Google.com/
uInternet Settings,ProxyOverride = 192.168.1.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Mobile Partner] "c:\program files\3 mobilebroadband\3 MobileBroadband.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\debbie\startm~1\programs\startup\AdbUpd.lnk -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274864140310
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274890168812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\debbie\applic~1\mozilla\firefox\profiles\49ff8s4f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59033&p=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-11-20 08:26:13 -------- d-----w- c:\program files\MozBackup
2010-11-20 07:42:22 -------- d-----w- c:\program files\ESET
2010-11-20 06:17:55 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-20 06:17:55 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-20 05:50:38 -------- d-----w- c:\program files\AutorunRemover
2010-11-20 05:46:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-20 05:46:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-19 06:30:18 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-19 06:27:11 -------- d-----w- C:\d83227922bd7e19fbd
2010-11-19 06:17:23 -------- d-----w- c:\windows\system32\NtmsData
2010-11-17 03:54:35 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-17 03:18:09 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-17 03:10:54 -------- d-----w- c:\windows\system32\Adobe
2010-11-17 01:58:06 -------- d-----w- C:\BJPrinter
2010-11-17 01:42:14 -------- d-----w- c:\program files\SlySoft
2010-11-16 22:36:52 -------- d-----w- c:\program files\DVD Shrink
2010-11-16 06:36:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-11-16 05:47:15 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-11-16 05:47:12 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-11-16 05:47:12 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-11-16 05:47:11 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-11-16 05:47:11 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-11-16 05:47:11 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-11-16 05:47:10 38912 ------w- c:\windows\system32\picn20.dll
2010-11-16 05:47:07 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-11-13 01:53:12 -------- d-----w- c:\docume~1\debbie\applic~1\Malwarebytes
2010-11-13 01:53:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 01:53:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 01:53:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-13 01:53:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 01:49:19 -------- d-----w- c:\docume~1\debbie\applic~1\Avira
2010-11-06 06:44:34 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-06 06:44:33 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-06 06:44:33 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-06 06:44:33 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-06 06:44:33 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-06 06:44:33 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-06 06:44:33 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-06 06:21:29 19569 ----a-w- c:\windows\006203_.tmp
2010-11-04 10:22:06 -------- d-----w- c:\program files\MSXML 6.0
2010-11-04 09:59:17 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-04 09:43:31 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-11-04 09:43:31 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-04 09:43:31 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-11-04 09:43:31 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-11-04 09:42:03 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-04 09:32:37 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-11-04 09:32:37 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-10-29 03:48:20 -------- d-----w- c:\docume~1\debbie\locals~1\applic~1\Identities
2010-10-28 03:52:18 -------- d-----w- c:\program files\VideoLAN
2010-10-27 04:49:51 -------- d-----w- c:\documents and settings\debbie\IECompatCache

==================== Find3M ====================

2010-09-30 11:18:24 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll

============= FINISH: 22:55:33.68 ===============

Attach:

==== Disk Partitions =========================

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

3 MobileBroadband
Adobe Flash Player 10 Plugin
Adobe Reader 9
AnyDVD
Avira AntiVir Personal - Free Antivirus
DVD Shrink 3.2
DVD43 v4.6.0
ESET Online Scanner v3
Hotfix for Windows XP (KB952287)
ImgBurn
Intel(R) Extreme Graphics 2 Driver
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Partner
MozBackup 1.4.10
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
Nero OEM
PopCap Browser Plugin
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11

==== End Of File ===========================

crunchie · Nov 20, 2010

You need to update MBA-M and re-run it please.

==================

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

You will need to use Internet Explorer to complete this scan.

You will need to temporarily Disable your current Anti-virus program.

Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.

When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner
• Panda Active Scan
• Trend Micro HouseCall
• F-Secure Online Virus Scanner

brodie · Nov 20, 2010

I'm still getting random Report Page Attack's on firefox, but this time they say: "This web page at through-n.com has been reported as an attack page and has been blocked based on your security preferences."

Updated MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5158

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

21/11/2010 10:50:07 AM
mbam-log-2010-11-21 (10-50-07).txt

Scan type: Quick scan
Objects scanned: 154290
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\AdbUpd.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie\Start Menu\Programs\ThinkPoint.lnk (Rogue.ThinkPoint) -> Quarantined and deleted successfully.

ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b77c63c5ce2de94db7bcd38f0164e57a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-20 08:44:22
# local_time=2010-11-20 07:44:22 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=crash
# scanned=34638
# found=0
# cleaned=0
# scan_time=2843
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b77c63c5ce2de94db7bcd38f0164e57a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-21 12:22:59
# local_time=2010-11-21 11:22:59 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=crash
# scanned=31384
# found=0
# cleaned=0
# scan_time=1467

crunchie · Nov 20, 2010

FF3 has a built in security feature that let's you know if a site is safe or otherwise. It is not always accurate and can be disabled.
Open Tools > Options > Security
Uncheck the option "Tell me if the site I'm visiting is a suspected attack site"

You should also be able to put the site on a safe list to prevent it being flagged as bad.

==

Those logs look ok. Are you having problems other than that?

==

Java is out-of-date, so best do the following:

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

====

brodie · Nov 20, 2010

I tried installing the Java update but when I run it a window comes up saying:

The Windows Installer service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

I'm not running it in safe mode :/

Well I haven't been having any more virus alerts today like I did yesterday, the computer does seem to be working good now. Except I also noticed that in addition to the report attack page, when I click on some links from google, they're redirecting me to some search engine page. I didn't realise it before because I have a bad habit of clicking something then coming back an hour later.

Thanks so much for all your help.

crunchie · Nov 20, 2010

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

==========

Try the latest Windows Installer;

http://www.microsoft.com/downloads/...6f-60b6-4412-95b9-54d056d6f9f4&displaylang=en

brodie · Nov 20, 2010

MBRCheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 118):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FD000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75F7000 cqwfww.sys
0xF7508000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74F7000 pci.sys
0xF7607000 isapnp.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7617000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7627000 VolSnap.sys
0xF74C0000 atapi.sys
0xF7637000 disk.sys
0xF7647000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A1000 fltmgr.sys
0xF748F000 sr.sys
0xF7478000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF744B000 NDIS.sys
0xF7430000 Mup.sys
0xF7546000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9978000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9964000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77A7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9941000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77AF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7536000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7947000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB992D000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA7A0000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9914000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xF77BF000 \SystemRoot\System32\DRIVERS\dvd43llh.sys
0xBA790000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA780000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB98F1000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9502000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB94DE000 \SystemRoot\system32\drivers\portcls.sys
0xBA770000 \SystemRoot\system32\drivers\drmk.sys
0xF7AAE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF79A7000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF77C7000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA760000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7FC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB94C7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA750000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA740000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB949E000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA730000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA720000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79A9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9370000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7EC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA710000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7687000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79AB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77F7000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79AD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA18A000 \SystemRoot\System32\Drivers\Null.SYS
0xF79AF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7807000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF780F000 \SystemRoot\System32\drivers\vga.sys
0xF79B1000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7817000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF781F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7923000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1295000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB123D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1215000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB11F4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB11D2000 \SystemRoot\System32\drivers\afd.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF774F000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB117E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB110F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76D7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF76E7000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xB10EC000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF79B7000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xB9CF9000 \SystemRoot\system32\DRIVERS\usb8023.sys
0xF775F000 \SystemRoot\system32\DRIVERS\RNDISMP.SYS
0xB9CE9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF75C6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7767000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9CE5000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB9CE1000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF75B6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB02E8000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79C9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF793B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7777000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB0FD8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xB0193000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB01BC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAFF26000 \SystemRoot\system32\drivers\wdmaud.sys
0xB00BB000 \SystemRoot\system32\drivers\sysaudio.sys
0xAFEF9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79ED000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAFC35000 \SystemRoot\system32\DRIVERS\srv.sys
0xAFAAA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
552 C:\WINDOWS\system32\smss.exe
600 csrss.exe
624 C:\WINDOWS\system32\winlogon.exe
676 C:\WINDOWS\system32\services.exe
688 C:\WINDOWS\system32\lsass.exe
876 C:\WINDOWS\system32\svchost.exe
924 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1080 svchost.exe
1176 svchost.exe
1396 C:\WINDOWS\system32\spoolsv.exe
1444 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1560 svchost.exe
1684 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1776 C:\Program Files\Java\jre6\bin\jqs.exe
1820 C:\WINDOWS\explorer.exe
172 C:\WINDOWS\system32\wuauclt.exe
252 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
540 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
548 C:\Program Files\dvd43\DVD43_Tray.exe
296 C:\WINDOWS\system32\igfxtray.exe
580 C:\WINDOWS\soundman.exe
652 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
884 C:\WINDOWS\system32\ctfmon.exe
960 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
584 alg.exe
980 C:\WINDOWS\system32\wscntfy.exe
2372 C:\Program Files\Mozilla Firefox\firefox.exe
2740 C:\Program Files\Mozilla Firefox\plugin-container.exe
3816 C:\WINDOWS\system32\mshta.exe
3800 C:\WINDOWS\system32\rundll32.exe
2112 C:\WINDOWS\system32\mshta.exe
764 C:\WINDOWS\system32\mshta.exe
788 C:\WINDOWS\system32\mshta.exe
2352 C:\Documents and Settings\Debbie\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6E040L0, Rev: NAR61HA0

Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

I downloaded the installer - ran it - restarted as it said - tried java again, but it still comes up with the same message.

crunchie · Nov 21, 2010

That log is ok.

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop

Physically disconnect from the internet.

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply.

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

brodie · Nov 21, 2010

I had to reconnected the internet during the beginning of running ComboFix because it downloaded/installed Windows Recovery Console. here's the log:

ComboFix 10-11-21.01 - Debbie 22/11/2010 12:53:57.1.2 - x86
Running from: c:\documents and settings\Debbie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Debbie\LOCALS~1\Temp\IE172.tmp\sp2gdr\msctf.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE172.tmp\sp2qfe\msctf.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE172.tmp\update\spcustom.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE172.tmp\update\update.exe
c:\docume~1\Debbie\LOCALS~1\Temp\IE172.tmp\update\updspapi.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\ie4uinit.exe
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\iedkcs32.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\iedvtool.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\ieframe.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\iepeers.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\ieproxy.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\iertutil.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\inetcpl.cpl
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\jsproxy.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\msfeeds.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\msfeedsbs.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\mshtml.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\mstime.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\occache.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\urlmon.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\wininet.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3GDR\xpshims.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\ie4uinit.exe
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\iedkcs32.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\iedvtool.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\ieframe.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\iepeers.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\ieproxy.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\iertutil.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\inetcpl.cpl
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\jsproxy.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\msfeeds.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\msfeedsbs.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\mshtml.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\mstime.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\occache.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\urlmon.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\wininet.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\SP3QFE\xpshims.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\update\spcustom.dll
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\update\update.exe
c:\docume~1\Debbie\LOCALS~1\Temp\IE7B2.tmp\update\updspapi.dll
c:\documents and settings\Debbie\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Debbie\Application Data\Adobe\AdobeUpdate.exe
c:\documents and settings\Debbie\Application Data\Adobe\plugs
c:\documents and settings\Debbie\Local Settings\Temp\IE172.tmp\sp2gdr\msctf.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE172.tmp\sp2qfe\msctf.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE172.tmp\update\spcustom.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE172.tmp\update\update.exe
c:\documents and settings\Debbie\Local Settings\Temp\IE172.tmp\update\updspapi.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\ie4uinit.exe
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\iedkcs32.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\iedvtool.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\ieframe.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\iepeers.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\ieproxy.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\iertutil.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\inetcpl.cpl
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\jsproxy.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\msfeeds.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\msfeedsbs.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\mshtml.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\mstime.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\occache.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\urlmon.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\wininet.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3GDR\xpshims.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\ie4uinit.exe
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\iedkcs32.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\iedvtool.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\ieframe.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\iepeers.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\ieproxy.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\iertutil.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\inetcpl.cpl
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\jsproxy.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\msfeeds.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\msfeedsbs.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\mshtml.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\mstime.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\occache.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\urlmon.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\wininet.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\SP3QFE\xpshims.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\update\spcustom.dll
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\update\update.exe
c:\documents and settings\Debbie\Local Settings\Temp\IE7B2.tmp\update\updspapi.dll
c:\windows\explorer(2).exe
c:\windows\explorer(3).exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
.

2010-11-20 08:26 . 2010-11-20 08:26 -------- d-----w- c:\program files\MozBackup
2010-11-20 07:42 . 2010-11-20 07:42 -------- d-----w- c:\program files\ESET
2010-11-20 06:17 . 2010-11-20 06:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-20 05:50 . 2010-11-20 06:16 -------- d-----w- c:\program files\AutorunRemover
2010-11-20 05:46 . 2010-11-20 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-20 05:46 . 2010-11-20 06:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-19 06:30 . 2010-11-20 06:17 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-19 06:27 . 2010-11-20 06:17 -------- d-----w- C:\d83227922bd7e19fbd
2010-11-19 06:17 . 2010-11-20 06:17 -------- d-----w- c:\windows\system32\NtmsData
2010-11-17 03:54 . 2010-11-17 03:54 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-17 03:18 . 2010-11-22 01:59 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-17 03:10 . 2010-11-17 03:53 -------- d-----w- c:\windows\system32\Adobe
2010-11-17 03:02 . 2010-11-17 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-11-17 01:58 . 2010-11-17 01:58 -------- d-----w- C:\BJPrinter
2010-11-17 01:42 . 2010-11-17 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-11-17 01:42 . 2010-11-17 01:42 -------- d-----w- c:\program files\SlySoft
2010-11-16 22:36 . 2010-11-17 07:36 -------- d-----w- c:\program files\DVD Shrink
2010-11-16 06:36 . 2010-11-17 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-11-16 05:47 . 2000-06-26 00:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-11-16 05:47 . 2004-07-20 06:24 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-11-16 05:47 . 2004-07-08 22:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-11-16 05:47 . 2004-07-20 06:24 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-11-16 05:47 . 2004-07-20 06:24 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-11-16 05:47 . 2004-07-20 06:24 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-11-16 05:47 . 2001-06-25 21:15 38912 ------w- c:\windows\system32\picn20.dll
2010-11-16 05:47 . 2010-11-16 05:48 -------- d-----w- c:\program files\Common Files\Ahead
2010-11-16 05:47 . 2001-07-09 00:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-11-16 05:47 . 2010-11-16 05:47 -------- d-----w- c:\program files\Ahead
2010-11-16 05:40 . 2010-11-20 08:27 -------- d-----w- c:\documents and settings\Debbie\Application Data\ImgBurn
2010-11-16 05:33 . 2010-11-16 05:33 -------- d-----w- c:\program files\ImgBurn
2010-11-13 01:53 . 2010-11-13 01:53 -------- d-----w- c:\documents and settings\Debbie\Application Data\Malwarebytes
2010-11-13 01:53 . 2010-04-29 04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 01:53 . 2010-11-13 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 01:53 . 2010-04-29 04:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 01:53 . 2010-11-13 01:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 01:49 . 2010-11-13 01:49 -------- d-----w- c:\documents and settings\Debbie\Application Data\Avira
2010-11-06 06:44 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-06 06:44 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-06 06:44 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-06 06:44 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-06 06:44 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-06 06:44 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-06 06:44 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-06 06:21 . 2006-12-28 19:01 19569 ----a-w- c:\windows\006203_.tmp
2010-11-06 03:03 . 2010-11-06 03:03 -------- d-----w- c:\windows\Sun
2010-11-04 10:22 . 2010-11-04 10:22 -------- d-----w- c:\program files\MSXML 6.0
2010-11-04 09:59 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-04 09:43 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-11-04 09:43 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-04 09:43 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-11-04 09:43 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-11-04 09:42 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-04 09:32 . 2010-10-27 06:10 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-04 09:32 . 2010-10-27 06:10 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-10-30 03:25 . 2010-11-04 09:18 -------- d-s---w- c:\documents and settings\Brodie
2010-10-29 03:48 . 2010-10-29 03:48 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\Identities
2010-10-28 03:53 . 2010-11-04 09:19 -------- d-----w- c:\documents and settings\Debbie\Application Data\vlc
2010-10-28 03:52 . 2010-10-28 03:52 -------- d-----w- c:\program files\VideoLAN
2010-10-27 04:49 . 2010-10-27 04:49 -------- d-----w- c:\documents and settings\Debbie\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 10:32 . 2010-05-27 00:32 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-04 10:32 . 2010-05-27 00:32 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-30 21:25 . 2010-09-30 21:25 30376 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-09-30 11:18 . 2010-09-30 11:18 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-09-14 13:16 . 2010-09-14 13:16 108480 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2010-10-04 110592]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2010-11-15 4676544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-04 135336]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Debbie\Application Data\Mozilla\Firefox\Profiles\49ff8s4f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59033&p=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 12:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-11-22 13:04:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-22 02:04

Pre-Run: 31,060,086,784 bytes free
Post-Run: 31,050,489,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9A0E00B468385528485433DA8EE14F23

crunchie · Nov 21, 2010

That cleaned out a bit. How are things now?

brodie · Nov 21, 2010

It's running quite well. I still can't get the java to install, but apart from that, I haven't received any more redirection or attack pages, no more virus alerts, etc. Looks like it's fixed! Thanks a bunch for all the help you've given, really appreciate it

crunchie · Nov 22, 2010

You'll need to get that Java installed or some web sites will not load correctly.
Not sure exactly what it may be, but I will look into it.

==

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

====

Try this fix from M$: http://support.microsoft.com/kb/315353

brodie · Nov 22, 2010

Okay, ran the OTC. Tried the fix you posted, but nothing happened when I tried steps 1-6. I had the black box up, typed in what it said to, but nothing happened after I pressed enter. So I tried the next part of the steps - with regedit, but the setting was already on "Allow" in the permissions for System, so I couldn't change anything.

crunchie · Nov 23, 2010

Not really sure what to suggest here. You may want to post over in the Windows OS forum.

TechSpot

[Active] ThinkPoint and autorun.inf usb - infected hard drive

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper

brodie Newcomer, in training

crunchie Malware Helper