TechSpot

TR/DROP.TDss.way detected by Avira

By Buzz
Jan 9, 2011
  1. Hi guys...

    Started my comp yesterday and Avira popped-up saying a had this trojan TR/DROP.TDss.way ... A0050325.exe

    I did as Avira instructed.
    Ran Super Anit-Spyware - no probs
    Ran Spybot - no probs

    My comp seems to running fine.

    Here are the logs from the updated 8 step instructions:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5481

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    08-Jan-11 6:08:00 PM
    mbam-log-2011-01-08 (18-08-00).txt

    Scan type: Quick scan
    Objects scanned: 148438
    Time elapsed: 2 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ..........................................................

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-08 20:48:37
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0 WDC_WD32 rev.01.0
    Running: yx3lkee8.exe; Driver: C:\DOCUME~1\Buzzzzz\LOCALS~1\Temp\kgpyikog.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    ---- EOF - GMER 1.0.15 ----
    ............................................................

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Buzzzzz at 15:17:08.53 on 09-Jan-11
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2478 [GMT 7:00]

    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Hotspot Shield\bin\hsswd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Buzzzzz\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uInternet Settings,ProxyOverride = local;*.local
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
    TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.78.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    uRun: [Google Update] "c:\documents and settings\buzzzzz\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\buzzzzz\applic~1\mozilla\firefox\profiles\jjg4pz97.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.gmail.com/ncr
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\cfxhelper@triton\components\dwmxpcom.dll
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
    FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
    FF - plugin: c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\buzzzzz\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
    FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
    FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
    FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
    FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
    FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
    FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
    FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
    FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-16 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-5 532224]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-16 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-16 61960]
    R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-5-26 26352]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-5-26 493032]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-21 133104]
    S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2009-2-9 58352]
    S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2009-2-9 8304]
    S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2009-2-9 93904]
    S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2009-2-9 73696]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

    =============== Created Last 30 ================

    2011-01-08 10:48:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-08 10:48:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-08 10:48:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-25 20:26:38 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-19 18:29:15 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
    2010-12-19 18:24:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-19 18:22:00 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-11 06:14:13 -------- d-----w- c:\docume~1\buzzzzz\applic~1\Avira

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 15:18:47.78 ===============



    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 03-Dec-08 1:00:14 AM
    System Uptime: 08-Jan-11 5:57:52 PM (22 hours ago)

    Motherboard: ACER | | MCP73VE
    Processor: Intel Pentium III Xeon processor | SOCKET775 M/B | 2499/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 250 GiB total, 139.562 GiB free.
    D: is FIXED (NTFS) - 48 GiB total, 32.444 GiB free.
    E: is CDROM (CDFS)
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&1624BDC1&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&1624BDC1&0
    Service: i8042prt

    ==== System Restore Points ===================

    RP104: 12-Oct-10 5:18:22 PM - System Checkpoint
    RP105: 13-Oct-10 6:34:29 PM - System Checkpoint
    RP106: 14-Oct-10 5:34:59 PM - Software Distribution Service 3.0
    RP107: 15-Oct-10 7:11:52 PM - System Checkpoint
    RP108: 16-Oct-10 8:37:01 PM - System Checkpoint
    RP109: 17-Oct-10 4:22:46 PM - Installed Java(TM) 6 Update 22
    RP110: 18-Oct-10 4:50:54 PM - System Checkpoint
    RP111: 19-Oct-10 4:58:08 PM - System Checkpoint
    RP112: 20-Oct-10 6:05:49 PM - System Checkpoint
    RP113: 21-Oct-10 6:47:16 PM - System Checkpoint
    RP114: 22-Oct-10 7:58:25 PM - System Checkpoint
    RP115: 23-Oct-10 8:53:20 PM - System Checkpoint
    RP116: 24-Oct-10 8:54:21 PM - System Checkpoint
    RP117: 25-Oct-10 9:21:10 PM - System Checkpoint
    RP118: 26-Oct-10 10:15:25 PM - System Checkpoint
    RP119: 27-Oct-10 10:28:01 PM - System Checkpoint
    RP120: 28-Oct-10 10:55:49 PM - System Checkpoint
    RP121: 30-Oct-10 7:44:28 PM - System Checkpoint
    RP122: 31-Oct-10 5:05:08 AM - Software Distribution Service 3.0
    RP123: 01-Nov-10 10:20:41 AM - System Checkpoint
    RP124: 04-Nov-10 6:16:06 PM - System Checkpoint
    RP125: 05-Nov-10 8:34:20 PM - System Checkpoint
    RP126: 06-Nov-10 9:14:03 PM - System Checkpoint
    RP127: 07-Nov-10 10:06:55 PM - System Checkpoint
    RP128: 08-Nov-10 10:23:45 PM - System Checkpoint
    RP129: 09-Nov-10 11:23:23 PM - System Checkpoint
    RP130: 11-Nov-10 12:37:33 AM - System Checkpoint
    RP131: 12-Nov-10 1:01:39 AM - System Checkpoint
    RP132: 13-Nov-10 1:10:51 AM - System Checkpoint
    RP133: 13-Nov-10 3:40:52 AM - Software Distribution Service 3.0
    RP134: 14-Nov-10 4:12:46 AM - System Checkpoint
    RP135: 15-Nov-10 4:41:18 AM - System Checkpoint
    RP136: 16-Nov-10 12:22:21 AM - Installed Google SketchUp Pro 7
    RP137: 16-Nov-10 12:22:43 AM - Removed Google SketchUp 7
    RP138: 17-Nov-10 12:42:09 AM - System Checkpoint
    RP139: 18-Nov-10 2:13:57 AM - System Checkpoint
    RP140: 19-Nov-10 2:17:26 AM - System Checkpoint
    RP141: 20-Nov-10 2:52:32 AM - System Checkpoint
    RP142: 21-Nov-10 1:58:16 PM - System Checkpoint
    RP143: 22-Nov-10 2:02:31 PM - System Checkpoint
    RP144: 23-Nov-10 2:33:54 PM - System Checkpoint
    RP145: 24-Nov-10 3:49:45 PM - System Checkpoint
    RP146: 25-Nov-10 4:46:00 PM - System Checkpoint
    RP147: 26-Nov-10 6:32:32 PM - System Checkpoint
    RP148: 27-Nov-10 7:26:33 PM - System Checkpoint
    RP149: 28-Nov-10 7:34:12 PM - System Checkpoint
    RP150: 29-Nov-10 7:40:57 PM - System Checkpoint
    RP151: 30-Nov-10 8:35:03 PM - System Checkpoint
    RP152: 01-Dec-10 9:14:57 PM - System Checkpoint
    RP153: 02-Dec-10 9:35:08 PM - System Checkpoint
    RP154: 03-Dec-10 10:19:23 PM - System Checkpoint
    RP155: 04-Dec-10 11:27:27 PM - System Checkpoint
    RP156: 06-Dec-10 12:37:47 AM - System Checkpoint
    RP157: 07-Dec-10 1:14:07 AM - System Checkpoint
    RP158: 08-Dec-10 1:16:35 AM - System Checkpoint
    RP159: 09-Dec-10 2:53:39 AM - System Checkpoint
    RP160: 10-Dec-10 5:00:17 AM - System Checkpoint
    RP161: 11-Dec-10 12:17:08 PM - System Checkpoint
    RP162: 12-Dec-10 12:47:34 PM - System Checkpoint
    RP163: 13-Dec-10 5:55:46 PM - System Checkpoint
    RP164: 14-Dec-10 6:04:04 PM - System Checkpoint
    RP165: 15-Dec-10 6:50:50 PM - System Checkpoint
    RP166: 16-Dec-10 7:17:16 PM - System Checkpoint
    RP167: 17-Dec-10 9:57:23 PM - System Checkpoint
    RP168: 18-Dec-10 10:35:06 PM - System Checkpoint
    RP169: 19-Dec-10 10:36:11 PM - System Checkpoint
    RP170: 20-Dec-10 1:34:25 AM - Software Distribution Service 3.0
    RP171: 21-Dec-10 2:53:52 AM - System Checkpoint
    RP172: 22-Dec-10 6:24:21 AM - System Checkpoint
    RP173: 23-Dec-10 7:14:03 AM - System Checkpoint
    RP174: 24-Dec-10 4:24:27 PM - System Checkpoint
    RP175: 25-Dec-10 4:28:50 PM - System Checkpoint
    RP176: 26-Dec-10 4:29:46 PM - System Checkpoint
    RP177: 27-Dec-10 5:10:38 PM - System Checkpoint
    RP178: 28-Dec-10 6:24:28 PM - System Checkpoint
    RP179: 29-Dec-10 6:40:59 PM - System Checkpoint
    RP180: 30-Dec-10 8:29:55 PM - System Checkpoint
    RP181: 31-Dec-10 9:30:57 PM - System Checkpoint
    RP182: 01-Jan-11 9:55:36 PM - System Checkpoint
    RP183: 02-Jan-11 11:00:36 PM - System Checkpoint
    RP184: 03-Jan-11 1:32:30 AM - Installed Google SketchUp 8
    RP185: 04-Jan-11 1:36:05 AM - System Checkpoint
    RP186: 05-Jan-11 2:25:06 AM - System Checkpoint
    RP187: 06-Jan-11 2:44:14 AM - System Checkpoint
    RP188: 07-Jan-11 2:48:27 AM - System Checkpoint
    RP189: 08-Jan-11 4:27:33 PM - System Checkpoint

    ==== Installed Programs ======================


    µTorrent
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.0
    Adobe Shockwave Player 11
    Altysoft Free Video Converter 2.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applian FLV Player
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    C-motech Connection Manager(CCU650)
    Canon MP Navigator EX 3.0
    Canon MP250 series MP Drivers
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CCleaner (remove only)
    ClearType Tuning Control Panel Applet
    CopyTrans Suite Remove Only
    Everything 1.2.1.371
    ffdshow [rev 735] [2007-01-02]
    Foxit PDF Editor
    Foxit Reader
    GoodSync
    Google Chrome
    Google Earth
    Google SketchUp 8
    Google SketchUp Pro 7
    Google Update Helper
    GoogleDesktop
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Hotspot Shield 1.56
    Image Resizer Powertoy for Windows XP
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    K-Lite Mega Codec Pack 4.1.6
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money Plus
    Microsoft Money Shared Libraries
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MIKSOFT Mobile Media Converter
    MobileMe Control Panel
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Drivers
    Picasa 3
    QuickTime
    Realtek High Definition Audio Driver
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Skype™ 4.0
    Smart Defrag
    Software Update for Web Folders
    SopCast 3.2.9
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    Switch Sound File Converter
    Thai2English
    The KMPlayer (remove only)
    unikode for Thai
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC 9.0 Runtime
    Veetle TV 0.9.18
    WebFldrs XP
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3
    WinX DVD Author 5.5.8
    ZoneAlarm
    ZoneAlarm Toolbar

    ==== Event Viewer Messages From Past Week ========

    08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The NMSAccessU service terminated unexpectedly. It has done this 1 time(s).
    08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    08-Jan-11 5:56:37 PM, error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
    08-Jan-11 5:56:37 PM, error: Service Control Manager [7031] - The Hotspot Shield Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    08-Jan-11 5:56:37 PM, error: Service Control Manager [7031] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    08-Jan-11 5:56:37 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    07-Jan-11 7:47:52 PM, error: Dhcp [1002] - The IP address lease 10.76.16.45 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.76.127.254 (The DHCP Server sent a DHCPNACK message).
    07-Jan-11 4:40:38 PM, error: Dhcp [1002] - The IP address lease 10.63.16.7 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.76.23.254 (The DHCP Server sent a DHCPNACK message).
    07-Jan-11 11:08:28 PM, error: Dhcp [1002] - The IP address lease 10.76.120.49 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.76.23.254 (The DHCP Server sent a DHCPNACK message).
    06-Jan-11 2:47:16 AM, error: Dhcp [1002] - The IP address lease 10.63.8.32 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.63.23.254 (The DHCP Server sent a DHCPNACK message).
    05-Jan-11 12:54:45 AM, error: Print [6161] - The document KBA_2009_price_list.xls owned by Buzzzzz failed to print on printer Canon MP250 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 1905796. Number of bytes printed: 144152. Total number of pages in the document: 11. Number of pages printed: 0. Client machine: \\W-924BCAF39F124. Win32 error code returned by the print processor: 13 (0xd).
    05-Jan-11 11:15:10 PM, error: Dhcp [1002] - The IP address lease 10.42.24.107 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.63.15.254 (The DHCP Server sent a DHCPNACK message).
    05-Jan-11 1:23:12 AM, error: Dhcp [1002] - The IP address lease 10.42.48.76 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.42.31.254 (The DHCP Server sent a DHCPNACK message).
    04-Jan-11 8:04:22 PM, error: Dhcp [1002] - The IP address lease 10.42.48.115 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.42.55.254 (The DHCP Server sent a DHCPNACK message).
    04-Jan-11 4:04:12 PM, error: Dhcp [1002] - The IP address lease 10.25.48.80 for the Network Card with network address 00FFD9A926A4 has been denied by the DHCP server 10.42.55.254 (The DHCP Server sent a DHCPNACK message).
    04-Jan-11 2:40:35 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    04-Jan-11 2:34:48 PM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0021853BFF19 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================


    many thanks & kind regards,
    Buzz
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning! I'll help with the malware- although I'm not sure you have any. Antivirus program continue to show malware even if it's not active, so it depends on the location of TDSS shown in Avira. For instance, if it is showing System Volume for the location, that means that it is not active in the system, but is in a restore point.

    When we assist with cleaning a system, at the end-not before-we have you set a new, clean restore point, then drop the old one to prevent reinfection. So far, I don't see any indication of avtive malware in these logs. But I will have you run 2 scans to be sure.

    First, some housekeeping: You have several outdated versions of Java in the Firefox addons and they need to be removed:
    Open Firefox> Tools> Addons> Highlight and delete the following:
    Java v6u12, u13, u14, u16, u17, u19, u20, 21, u22 The current version us v6u23, so you might as well bump it up one update:
    Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs also if they show there as they are vulnerabilities for the system. Unfortunately, the Java updates don't overwrite the old one- someday I hope they fix that.
    ==========================================
    Since you are using the FoxIt PDF reader, you no longer need to Adobe Reader and all it's bloat. FoxIt will do the same thing and it doesn't have the bloat. Uninstall the Adobe Reader in Add/Remove Programs in the Control Panel.
    ===========================================
    The HijackThis program you have is also outdated and can be removed. I will give you a new link to run the current version.
    =========================================
    Please Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Once I see these logs, I'll know if the rootkit was removed or if any entries remain.

    Edit to add: Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Hi Bobbye ...

    Thanks for all the advice and time taken ...

    Java Updates: Done - have updated to version 23.
    What about Java Quick Starter 1.0 - leave it or delete it ?
    Yes, I knew it was good to get rid of older versions, but I only checked in ADD/REMOVE before, and that only shows the current version - so, now i know how/where to check. tks
    ........................................................................
    Adobe Reader: i so much want to get rid of it, but I can't get my thai bank e-statements without it - I downloaded the update a while ago, but haven't been bothered to install. At least I haven't got it as my default pdf reader. Don't know how else I can get my bank e-statements without it ?

    ......................................................................
    HijackThis: removed
    But, I got some typical windows 'Note' saying to delete the file manually as well ?

    ....................................................................
    Ran Eset - said it found 2 x variants of win32/hotspotshield application
    Went to C:\Program Files\EsetOnlineScanner\ folder but no log.txt file was to be found ?

    ...................................................................
    Downloaded Combofix and when tried to run got a Note saying: it couldn't run until AVG was uninstalled or use other tool ?
    I haven't used AVG for at least a couple of years ?
    Deleted Combofix icon and downloaded again but when tried to run - same note.

    over to you Bobbye...
    Buzz
     
  4. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Just checked windows explorer and my C drive showing a folder - C:\$AVG - is showing nothing in it - but when I checked in properties it says 74 files 2 folders 16mb (Nov10,2009) ?
     
  5. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    C:\Program Files\ESET\ESET Online Scanner - just has the active x file and Eset uninstall file, but no log.txt
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Click on Start> Run> type in services,msc> enter> double click on JavaQuickStart> Stop the Service> change the Startup type to Disabled. You don't need it to run or use Java.

    o yourself a favor. Download the Fox It PDF Reader and make it the default. Try downloading one of the PDF e-statements> it should open right up in Foxit. Mine does. I just click the PDF symbol.

    AVG is giving us a pain with Combofix! Do a search on your system for AVG. Delete everything for AVG. You may have to do this in Safe Mode. Be sure there is no AVG process on the Startup menu.

    Then run Combofix
     
  7. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Did a search in the wonderful 'windows explorer' - it actually found over 100 AVG folders/Files ... some wouldn't delete (I forgot how to run in 'safe mode') ... gave ComboFix another try with success ...

    ComboFix 11-01-12.04 - Buzzzzz 14-Jan-11 2:57.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2441 [GMT 7:00]
    Running from: c:\documents and settings\Buzzzzz\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
    .

    2011-01-08 10:48 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-08 10:48 . 2011-01-08 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-08 10:48 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-25 20:26 . 2011-01-08 10:07 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-19 18:29 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
    2010-12-19 18:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-19 18:22 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-24 06:15 . 2009-11-16 09:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-11 06:23 . 2009-11-16 07:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-18 18:12 . 2008-12-02 03:22 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 11:53 . 2010-05-22 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 09:34 . 2009-03-11 08:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26 . 2004-08-03 17:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:26 . 2004-08-03 17:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-03 17:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-03 12:25 . 2004-08-03 15:59 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-03 17:56 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-03 16:17 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8491008]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-22 21:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-04-12 19:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2005-04-07 07:40 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-10 17:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-12-20 11:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 04:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 09:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    "updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    "PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "RTHDCPL"=RTHDCPL.EXE
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "Alcmtr"=ALCMTR.EXE
    "nwiz"=nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-Sep-09 11:42 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-Sep-09 11:42 AM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16-Nov-09 4:03 PM 135336]
    R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26-May-10 8:35 PM 26352]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26-May-10 8:35 PM 493032]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21-Jul-09 11:48 PM 133104]
    S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [09-Feb-09 3:51 PM 58352]
    S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [09-Feb-09 3:51 PM 8304]
    S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [09-Feb-09 3:51 PM 93904]
    S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [09-Feb-09 3:51 PM 73696]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04-Aug-04 12:56 AM 14336]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-Sep-09 11:42 AM 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    vvdsvc REG_MULTI_SZ vvdsvc
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

    2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

    2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003Core.job
    - c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

    2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003UA.job
    - c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

    2010-10-26 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-23 14:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {5EA7F988-C77D-4E9F-BD95-4DFB4D060C32} = 203.113.7.130 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.gmail.com/ncr
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
    FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
    FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
    FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
    FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
    FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
    FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
    FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
    FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-14 03:00
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(904)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

    - - - - - - - > 'lsass.exe'(960)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'explorer.exe'(2372)
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-01-14 03:02:26
    ComboFix-quarantined-files.txt 2011-01-13 20:02

    Pre-Run: 149,782,536,192 bytes free
    Post-Run: 149,770,518,528 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - A9787094351135DE26B92DE7A4C9AEE8


    **********************************************************************************

    When I type in services,msc (in Run) windows says it can not find the file ???

    Already have Foxit reader as my default - but this particular thai phone company's on-line program will only let me open my phone account statement .pdf in bloody Adobe !
    (maybe they will fix it soon - as Foxit becomes more popular in thailand - or, they've done an exclusive deal with Adobe)

    thanx again for all your assistance,
    Buzz
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That's because I accidently put a comma in instead of a period> my apology. It should read:

    =============================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Using Windows Explorer (Windows key + E)> My Computer> double click on Local Drive (C)> Programs> find the AVG folder and do a right click> Delete.
    Note: The only entry For AVG I saw in all of the logs was for BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    This is also referred to as a link scanner.
    It doesn't get any better than WOT, IMO, which you have. Get rid of the AVG.
    ==========================================
    Please run this Custom CFScript: I think I found your malware:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS
    DDS::
    BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
    uStart Page = about:blank
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
    Firefox::
    Firefox-: - Profile - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    Driver::
    HssWd
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Make sure this addons has been removed from Firefox after running the above:
    FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
    It is considered a "Trojan.Adclicker" by Symantec.
    ===================
    I'd like you to try the Eset scan again. If it still won't produce the log, run the following instead: Be sure your security is disabled to run the scan>
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
    ====================================
     
  9. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Hey Bobbye ...

    Had a bit of a hic-cup last nite (Jan 14) ... when in 'safe mode' looking for AVG files to delete - I couldn't find any - didn't do anything else - the mouse froze - couldn't bring up task manager (CTL ALT Del) - comp wouldn't switch off - had to 'off' the UPS(cut power) to turn it off - (it was late here, so went to bed and re-tried in the arvo) - switched on again and let run - got stuck with blue Windows screen (as if it was still loading after hearing the windows start-up tune) - froze again - had to shut the power off again - tried the same thing again with same results - turned power on again and restarted in safe mode - ok - shut down comp no probs using (start) 'turn off computer' , just see if it would shut down ok ... restarted again in safe mode, but this time chose the 'restore point' option - restored to a point Jan 13th pm ... computer booted up no probs ...

    ..................................................................................................
    Found c:\program files\avg\avg9\avgssie.dll in Windows Exp and deleted it and all remains of AVG files and folders.

    ....................................................................................................
    Downloaded Combofix again and 'dropped' the CFScript.txt into it and successfully scanned - log pasted below.

    ..................................................................................................
    Deleted c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com thru WExp

    ................................................................................................
    Noticed another 'Hotspot Shield' Folder - not under program files - just on itself C:\Hotspot Sheild with a sub-folder hsswd, and a hssstate xml doc1kb 15Jan20117.27pm
    - did not try to open the hsswd folder

    ................................................................................................
    Ran ESET successfully - log below

    (by the way the version ESET i used didn't automatically generate a logfile at C:\Program Files\EsetOnlineScanner\log.txt
    - when the scan finishes it gives the option to view a 'list of threats' found - click - 2 options: either copy to clipboard or export text file (see below)

    Completely uninstalled ESET

    ............................................................................................

    that's it bro... over to you !


    ComboFix 11-01-14.01 - Buzzzzz 15-Jan-11 18:52:23.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2491 [GMT 7:00]
    Running from: c:\documents and settings\Buzzzzz\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Buzzzzz\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS"
    "c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\hotspot shield\hssie\HssIE.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_HSSWD
    -------\Service_HssWd


    ((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
    .

    2011-01-15 08:59 . 2010-11-09 14:52 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
    2011-01-15 08:59 . 2010-11-09 14:52 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll
    2011-01-15 08:59 . 2010-11-09 14:52 200704 -c----w- c:\windows\system32\dllcache\msadox.dll
    2011-01-15 08:59 . 2010-11-09 14:52 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll
    2011-01-15 08:59 . 2010-11-09 14:52 143360 -c----w- c:\windows\system32\dllcache\msadco.dll
    2011-01-15 08:59 . 2010-11-09 14:52 102400 -c----w- c:\windows\system32\dllcache\msjro.dll
    2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\program files\Firefox
    2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\Buzzzzz\Local Settings\Application Data\AVG Security Toolbar
    2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- C:\$AVG
    2011-01-08 10:48 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-08 10:48 . 2011-01-08 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-08 10:48 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-25 20:26 . 2011-01-08 10:07 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-19 18:29 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
    2010-12-19 18:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-19 18:22 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-24 06:15 . 2009-11-16 09:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-11 06:23 . 2009-11-16 07:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-18 18:12 . 2008-12-02 03:22 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 11:53 . 2010-05-22 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 09:34 . 2009-03-11 08:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-09 14:52 . 2004-08-03 17:56 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-03 17:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:26 . 2004-08-03 17:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-03 17:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-03 12:25 . 2004-08-03 15:59 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-03 17:56 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-03 16:17 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8491008]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-22 21:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-04-12 19:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2005-04-07 07:40 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-10 17:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-12-20 11:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 04:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 09:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    "updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    "PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "RTHDCPL"=RTHDCPL.EXE
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "Alcmtr"=ALCMTR.EXE
    "nwiz"=nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-Sep-09 11:42 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-Sep-09 11:42 AM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16-Nov-09 4:03 PM 135336]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26-May-10 8:35 PM 26352]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26-May-10 8:35 PM 493032]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21-Jul-09 11:48 PM 133104]
    S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [09-Feb-09 3:51 PM 58352]
    S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [09-Feb-09 3:51 PM 8304]
    S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [09-Feb-09 3:51 PM 93904]
    S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [09-Feb-09 3:51 PM 73696]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04-Aug-04 12:56 AM 14336]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-Sep-09 11:42 AM 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    vvdsvc REG_MULTI_SZ vvdsvc
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

    2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

    2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003Core.job
    - c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

    2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003UA.job
    - c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

    2010-10-26 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-23 14:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = local;*.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.gmail.com/ncr
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
    FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
    FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
    FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
    FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
    FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
    FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
    FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
    FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-15 18:57
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(904)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

    - - - - - - - > 'lsass.exe'(960)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'explorer.exe'(2188)
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Hotspot Shield\bin\openvpnas.exe
    c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Hotspot Shield\bin\openvpntray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-15 19:01:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-15 12:01
    ComboFix2.txt 2011-01-13 20:02

    Pre-Run: 149,032,837,120 bytes free
    Post-Run: 148,891,992,064 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 710E6DC8C690BD26167148CB7C717640


    Eset: 'export to text' file...

    C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
    C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP125\A0036618.exe a variant of Win32/HotSpotShield application
    C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP143\A0039869.exe a variant of Win32/HotSpotShield application
    C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP168\A0046593.exe a variant of Win32/HotSpotShield application
    C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP189\A0050366.exe a variant of Win32/HotSpotShield application
    Operating memory a variant of Win32/HotSpotShield application
     
  10. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Hi Bobbye ...

    Am writing this from my laptop as my PC crashed bad.
    Was watching something on YouTube and the screen just froze ... only way to shutdown was power-off ... started up again and whilst I was hitting F8 - the windows blackscreen crash message came up "This computer closed un-expectically ....." which way would you like to re-start ... I went for safe mode but it just froze again ...

    any help muchly appreciated, cheers,
    Buzz
     
  11. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    I forgot to mention - PC was running fine - right before watching about 10 mins of YouTube - I bumped the 'on/off' button on the PC case - ZAlone prompt came up & wanted to shut down or cancel ... I chose cancel, same as with the Firefox prompt when it popped-up ... maybe this could've caused the crash ?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- the restore got the AVG back. You shouldn't do a SR while we're cleaning-except-unless it's the only way back into a system. And that is the reason we don't remove the restore points at the beginning! If you look at the Eset entries, you'll see this location for some of the HotSpotShield:
    C:\System Volume Information\_restore>> these are the restore points. So when you restored, you may also have 'reinfected' the system.

    But I need to make you awre of what you agreed to when you installed the HotSpotShield. There is a heated discussion on some forums about whether the is actually a False Positive:
    The is part of the AnchorFree EULA for the HotSpotShield:
    If you read this and knowingly accepted the terms, including the ads themselves, the HotSpotShield is not considered malware. But it will show in any security scans that include adware. If using it means enough that you don't mind or care about the ads-even if they are specific for you, then keep it.

    Please make this decision so I will know whether to continue to try and remove it. What you see in C:\Hotspot Sheild is the Directory. It's a folder and will have sub-folders relted to the app or program itself.

    I have script for you to run through Combofix, but we need to decide whether to continue to try and remove HotSpotShield, or whether you want to keep it. If you keep it: You have 2 options:
    1. disable detection of adware
    2. exclude the file from scanning
    ============================================
    About the BSOD: We need to find what's causing it:

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 10 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.
    Try to run this after thr time of the BSOD. Events are time coded.
    (Courtesy rev-Olie)
     
  13. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Hi Bobbye ...

    No probs - I do want to get rid of Hotspot Shield completely ... I only used occasionally anyway.

    Turned on my PC today and got the BSOD -
    "problem detected and windows etc....
    WIN32K.sys
    Page-Fault-in-nonpaged-area

    Had to turn off power to shut down ... then on subsequent attempts to start-up - not getting anything - not even the BSOD - the ACER intro page shows for a nano second.
    Normally when start-up the ACER page loads with 2 options:
    Delete: to go into BIOS settings
    F12: to go to boot menu

    But, not even getting that come up now ... just a blank screen.

    I don't think I have a boot-up disk. When I purchased this PC it came with Linux - but, I never used Linux - I had a local techo here convert it over from Linux to Windows XP Pro (copied version) which was a bit of a tricky job... I have the install disk he used to do that, that's all ...

    So, what's the next move - how can I get a windows screen back so I can download VEW etc...?
    (I've got no idea - have not done a back-up for ages either)

    cheers and many thanks,
    Buzz
    (writing this from my laptop)
    (I'm on Koh Samui - a small island in the tropical south of Thailand - not much tech assistance avbl here)
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Once you're in:
    All Programs> Accessories> System Tools> System Restore> Restore the system to this date:
    RP189: 08-Jan-11 4:27:33 PM - System Checkpoint

    NOTE: If there is a later date, between 08-Jan and now, use that instead.


    We may have to clean again but hopefully this will get you back in. This is a good example of why we don't drop the restore points at the beginning of cleaning!
     
  15. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Hi Bobbye
    ,
    It won't start even hitting F8 ... have tried a few times ... not even getting the Acer opening menu.now... sometimes just the Acer logo flashes up briefly ... that's it ... just a black empty screen after power 'on'

    See my post#9 - PC was freezing in both safe and normal mode - only way to get windows back was to shoot for a restore point - I really don't know what else I could've done ?

    any more suggestions muchly appreciated ...
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Oh my goodness! Sounds like the "bump" may have caused a start of the shutdown. But that was interrupted. So the system is half up and half down and it won't work like that. (But you already found that out!

    There is also a possibility that the system got some kind of malware from the youtube video.

    Please bring me up to date on the status:
    Can you press the on/off button and Start up in either Safe Mode by toggling the F8 button or boot into Normal Mode? Or more simply said: can you get into the system at all, to a work place, not just a screen flash?
     
  17. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    on/off button just stays on - only way I can shut down is to un-plug ... soon as I plug-in the power cord again - the computer is 'on' - I get a quick flash of the Acer logo and then nothing it doesn't even seem to want to boot at all (even if constantly tapping F8) ... I'm worried ...

    It's my work PC (I work from Home) and as I mentioned, I haven't done a data back-up for a long long while - had been advised of a great piece of free back-up software and even bought some flash memory 8GB sticks to do it as soon as I got this little bit of malware out of the way (yeah, I know...) - was going to do a clean-up and ditch a lot of un-used programs - refrag etc...

    I'm stuck mate, as I don't want to do anything without yr advice now !

    If it's look like we have to format the c drive, then I hope I can save all my data on the d drive (partioned)....

    hope you can get back to me soon as possible,
    cheers & thanks,
    Buzz
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Buzz, I don't have any miracles in my pocket today! You have a computer that won't shut down or start up. Possible electrical problem with power button or cable and you can't get into the system!

    If you're going to do anything at all, you need a machine that works. I would have a tech check out the power button and cable. If that's faulty, it would explain a lot. Once that's done-if it restores the ability to get into the machine and work, we'll go on.

    'Course, there's the matter of the "I'll back up later syndrome!"

    If you get into the machine, have a look at the following for both Windows XP Repair or Reinstall.
    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
  19. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    No probs, Bobbye I understand the situation ...

    'As it just happened' - my little puppy unfortunately 're-broke' her leg yesterday - had to take her back to the pet hospital, which just happens to be near the 'stall' in the mall, where I found the Thai tech-head who installed Windows XP over Linux when I bought the machine. (most Thai tech heads have never done any sort of course or apprenticeship, and finding a good one on an island is like finding needles in haystacks. One that speaks good english, almost impossible !

    They were not there anymore (as is the case quite often in Thailand).
    But asked around, and found where they moved to ... they remembered me, said no probs, they reckon they can re-format my 'c' drive and save data on my 'd' drive - just bring it back !!!

    So, with fingers crossed, I'll hand over a big part of my 'source of income' to them, and hope like hell they'll get Windows XP running again for me without any lost data (heaps of lost, good free software is inevitable though, I know).

    But, don't worry, as soon as they do ~ I'll probably be in contact with you again !

    cheers & thanks for your time taken,
    Buzz

    PS: What should I do as soon as XP is happening again ?
    Would i have the option to run Windows 7 (with all my data on the 'd' drive on XP) - I don't think so....
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am very sorry to hear about the puppy. That will come before the computer, of course.

    Although I can find malware and remove entries that are bad, I can't check the cables or on/off switch- and I think that is a big part of the problem, so make the tech earn what you have to pay him and have him check it.

    As for you 2 questions:
    I am not sure I know what you mean here. I don't know what files will remain, if any, so if you have any signs of malware, start a new thread, to my attention with this URL for reference, http://www.techspot.com/vb/topic159399.html, and run the scans again.
    Linix to Windows XP then XP reinstall to Windows 7? I wouldn't recommend it.You would need to check your system specs to see what you'd need for a dual-boot.

    I'm going to close this thread now. When you're up again, if you have malware problems, you know where to find us.

    My best to the puppy.[​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...