TechSpot

Trojans/malware detected on computer. Popups in browser.

Solved
By SirCarnifex
Feb 24, 2012
Topic Status:
Not open for further replies.
  1. Hello,

    I've recently gotten a virus (detected by anti-virus and supposedly removed) on my computer. I ran the programs that I have (Avira, Malwarebytes, SpyBot) and supposedly removed many of the files, but it apparently is not working. Avira keeps detecting the same files, though they pop up in new places each time. Malwarebytes, which WAS working, now gets a runtime error when I try to load it up, so I can't do the first recommended step on this site. I guess the virus disabled it.

    This computer has no important information on it, so I'm not worried about personal information loss or anything like that. It does have a good deal of programs and hobbyist work on it that I'd prefer not to lose to a reformat, so eradicating the virus by another method is preferable to me. I can run programs right now but the computer is slow sometimes (like right now) when there is apparently a hidden program(s) running.

    I'd appreciate advice on on what to do. Should I uninstall Malwarebytes and reinstall it? Or just run the other programs suggested?

    Thanks for any help!

    EDIT: And also, I'm getting new browser windows that pop up occasionally (not too often) that (so far) have taken me to YouTube and Pogo. Other than that I've not had anything. I think it's been four popups in about the same amount of days since I've run the computer with the virus.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'll be glad to help but need some information on what running.

    Sounds like you are attempting to run these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    -----------------------------
    To help with Malwarebytes:
    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again.
    ---------------------------
    Then please go ahead with the other steps. If you have additional problems with the scans, please let me know.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
  3. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Yes, I was going to run through those steps that you linked to, starting with Malwarebytes, but when that didn't work, I thought it best to ask before doing anything else. I'll try what you suggested and get the logs posted when I get a chance. Thanks!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If a program doesn't work, please tell me what happened when you tried to run it. In the absence of that information, you can do the following for Mbam:

    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Without rebooting, try the Malwarebytes scan again.

    You can go ahead with DDS.
  5. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I ran rkill and exehelper. Here's the exehelper log:

    exeHelper by Raktor
    Build 20100414
    Run at 18:24:42 on 02/27/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--



    I'm trying to run Malwarebytes again now.
  6. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Okay, Malwarebytes still won't run. I get (give or take a word or two):

    "Runtime Error 5. Invalid call, procedure or argument."

    Shall I run gmer and dds now anyway or is there something else? Thanks!
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The most common cause for Runtime errors are addons (plugins). Have you recently put new of either on system? If using IE, go to Tools> Manage Add Ons> Choose 'no addons' and see if Mbam runs.

    If it doesn't, One more try for Mbam:
    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again

    If it still won't run, please go on to the other scans.
  8. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I don't run IE and I'm not sure how to disable add-ons on Firefox. Meanwhile, I ran the other two programs. Here are the logs:



    GMER:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-29 11:30:45
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-9 WDC_WD5001AALS-00L3B2 rev.01.03B01
    Running: 594pdgiw.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\ufliaaog.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7E7F1D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7E7F1E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 4016

    ---- EOF - GMER 1.0.15 ----
  9. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Testing from another computer. I couldn't get the forums to post for the other two logs with my virus computer - it keeps giving me errors.

    EDIT: In the above log it keeps mentioning McAfee, but that should be uninstalled. I don't know how to read that log, so maybe it's usual or something, but I just thought I'd mention that. As for the other logs, if I can't get them to post from the one computer, I suppose I can transfer them to another and post from there (once I find the flash drive). I have a flash drive scanner to prevent viruses from transferring over it.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    To disable Add ons in Firefox:

    Open Firefox> Clich on Tools> Manage Addons>
    [​IMG]
    Once the Add-ons window opens, it will default to the Extension view and list all installed add-ons.
    [​IMG]
    You should look for extensions that do not need to be enabled all the time. For instance:
    [​IMG]
    In the example above, this add-on is used very little and does not need to be running when browsing the Internet.
    To disable, highlight the extension and click the Disable button. The message "This add-on will be disabled when Fiefox is restarted" will be displayed.
    Images courtesy of watchingthenet.com

    After disabling the add-ons that you do not want loaded when Firefox starts, close the Add-ons window and restart Firefox by closing and launching Firefox.
    =====================================
    You don't need to worry about what you see in GMER- that's my job!.

    I'm not understanding what the problem with the logs is. Do you mean that you can't access the internet to get here to post them? If so, you will need to move the logs to a flash drive, then post here.
    Is "slow" why you can't get the logs here?If so, you might have to put up with it until we find and remove some of the malware. you may have a rootkit and the AV and Spybot won't fully remove it.

    If you are concerned about the flash drive, you can disinfect it first:

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    I have nothing to work with at this point.
  11. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    There's no problem with the logs that I know of. I have those. I just can't seem to post on TechSpot (and thus can't post the logs) with that computer anymore as I get errors about not finding the server. I don't have the trouble with other computers. I'll try it again with the one before I attempt the flash drive (which I have to find - things always go missing as soon as you need them!).
     
  12. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Attach log:


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/5/2009 10:35:55 PM
    System Uptime: 2/29/2012 11:18:54 AM (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3R
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 775 | 3200/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 349.748 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 8/1/2010 9:29:52 PM - System Checkpoint
    RP2: 8/1/2010 10:02:37 PM - Software Distribution Service 3.0
    RP3: 8/3/2010 2:42:33 AM - Software Distribution Service 3.0
    RP4: 8/4/2010 11:31:06 PM - Installed McAfee Virtual Technician
    RP5: 8/12/2010 3:29:11 AM - Software Distribution Service 3.0
    RP6: 9/15/2010 2:27:58 AM - Software Distribution Service 3.0
    RP7: 9/29/2010 10:58:50 PM - Software Distribution Service 3.0
    RP8: 10/6/2010 2:36:42 AM - Software Distribution Service 3.0
    RP9: 10/21/2010 1:34:23 AM - Software Distribution Service 3.0
    RP10: 11/10/2010 2:12:29 AM - Software Distribution Service 3.0
    RP11: 11/12/2010 6:11:37 PM - Installed ViewSonic Windows XP Signed Files
    RP12: 12/15/2010 3:00:17 AM - Software Distribution Service 3.0
    RP13: 1/13/2011 2:51:50 AM - Software Distribution Service 3.0
    RP14: 1/20/2011 10:54:03 AM - Installed ZBrush 3.5 R3
    RP15: 2/10/2011 1:56:27 AM - Software Distribution Service 3.0
    RP16: 3/9/2011 12:51:12 AM - Software Distribution Service 3.0
    RP17: 3/16/2011 3:59:52 AM - Software Distribution Service 3.0
    RP18: 3/25/2011 3:25:50 AM - Software Distribution Service 3.0
    RP19: 4/14/2011 3:02:24 AM - Software Distribution Service 3.0
    RP20: 4/28/2011 3:00:36 AM - Software Distribution Service 3.0
    RP21: 5/12/2011 2:38:20 AM - Software Distribution Service 3.0
    RP22: 6/11/2011 12:13:59 AM - Restore Operation
    RP23: 6/29/2011 12:06:39 PM - Software Distribution Service 3.0
    RP24: 6/30/2011 4:00:17 AM - Software Distribution Service 3.0
    RP25: 7/7/2011 5:01:36 PM - Installed DirectX
    RP26: 7/12/2011 5:26:42 PM - Installed Java(TM) 6 Update 26
    RP27: 7/13/2011 3:20:08 AM - Software Distribution Service 3.0
    RP28: 8/10/2011 4:00:14 AM - Software Distribution Service 3.0
    RP29: 8/10/2011 11:46:07 AM - Installed DirectX
    RP30: 8/11/2011 4:00:14 AM - Software Distribution Service 3.0
    RP31: 8/25/2011 4:00:14 AM - Software Distribution Service 3.0
    RP32: 9/7/2011 4:00:14 AM - Software Distribution Service 3.0
    RP33: 9/15/2011 3:20:33 AM - Software Distribution Service 3.0
    RP34: 9/28/2011 4:00:14 AM - Software Distribution Service 3.0
    RP35: 10/13/2011 4:00:15 AM - Software Distribution Service 3.0
    RP36: 11/11/2011 3:00:16 AM - Software Distribution Service 3.0
    RP37: 11/20/2011 2:35:41 PM - Installed Desperados 2
    RP38: 11/24/2011 10:32:44 PM - Installed Sid Meier's Alpha Centauri 2000/XP Compatibility Updat
    RP39: 12/1/2011 12:52:58 PM - Installed Legends Craft Plugin.
    RP40: 12/1/2011 12:54:04 PM - Installed Legends Info Plugin.
    RP41: 12/1/2011 1:08:45 PM - Installed MySQL Connector Net 6.4.4
    RP42: 12/1/2011 1:12:03 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP43: 12/1/2011 1:12:37 PM - Installed Java(TM) 6 Update 22
    RP44: 12/1/2011 1:13:06 PM - Installed OpenOffice.org 3.3
    RP45: 12/1/2011 7:22:49 PM - Installed MySQL Server 5.1
    RP46: 12/1/2011 9:12:50 PM - Installed MySQL Server 5.5
    RP47: 12/1/2011 9:54:04 PM - Installed MySQL Workbench 5.2 CE
    RP48: 12/3/2011 2:52:07 AM - Software Distribution Service 3.0
    RP49: 12/3/2011 11:41:47 PM - Software Distribution Service 3.0
    RP50: 12/14/2011 3:00:15 AM - Software Distribution Service 3.0
    RP51: 1/11/2012 2:41:44 AM - Software Distribution Service 3.0
    RP52: 1/19/2012 9:32:07 PM - Installed Avernum 5
    RP53: 2/1/2012 3:00:14 AM - Software Distribution Service 3.0
    RP54: 2/17/2012 2:02:12 AM - Software Distribution Service 3.0
    RP55: 2/17/2012 10:31:36 PM - Restore Operation
    RP56: 2/18/2012 12:09:47 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    2Wire Wireless Client
    7-Zip 4.65
    AbiWord 2.8.6
    Adobe Flash Player 10 Plugin
    Adobe Reader 6.0
    Audacity 1.2.6
    Avernum 4
    Avernum 5
    Avira Free Antivirus
    Baldur's Gate
    Baldur's Gate Tutu
    Baldur's Gate(TM) II - Shadows of Amn(TM) Bonus CD
    Baldur's Gate(TM) II - Throne of Bhaal (TM)
    Beneath a Steel Sky
    Brother HL-4040CN
    Browser Configuration Utility
    Core FTP LE 2.1
    Desperados 1.0
    Desperados 2
    Download Manager 2.3.10
    Dragonsphere
    Drakensang
    Drakensang 2: River of Time
    Energy Saver Advance B8.0905.1
    Fraps
    Gigabyte Raid Configurer
    GIMP 2.6.4
    gmax
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 26
    Just Great Software EditPad Lite 6.4.5
    LAME v3.98.3 for Audacity
    Legends Craft Plugin
    Legends Info Plugin
    Lords of the Realm - Royal Edition
    LucasArts' Outlaws
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee Virtual Technician
    MDB Utilities 2.3.0 for 3ds Max
    Mech Commander Omnitech version 0.148
    Melody Assistant
    Messenger Plus! 3
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft MechCommander 2
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox (3.6.25)
    MSN Messenger 7.0
    MySQL Connector Net 6.4.4
    MySQL Server 5.1
    MySQL Server 5.5
    MySQL Workbench 5.2 CE
    Neverwinter Nights 2
    NVIDIA Display Control Panel
    NVIDIA Graphics Driver 260.99
    NVIDIA Install Application
    OpenOffice.org 3.3
    Paint Shop Pro 4.12
    Pidgin
    POWERPREP GRE
    RarZilla Free Unrar 2.53
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    REALTEK GbE & FE Ethernet PCI NIC Driver
    Realtek High Definition Audio Driver
    ReNamer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sid Meier's Alpha Centauri
    Sid Meier's Alpha Centauri 2000/XP Compatibility Update
    Sound Blaster Live! Value
    Spybot - Search & Destroy
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    ViewSonic Windows XP Signed Files
    WarZone Client v1.0.49
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    World Machine 2.2 Basic Edition
    X-Chat 2.8.6-2
    X-Com Terror From the Deep
    X-Com UFO Defense
    x264vfw - H.264/MPEG-4 AVC codec (remove only)
    xNormal 3.17.0 Beta 3b
    Xvid 1.2.2 final uninstall
    Yahoo! Install Manager
    ZBrush 3.5 R3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/27/2012 6:29:22 PM, error: Service Control Manager [7023] - The SiS300i service terminated with the following error: Access is denied.
    2/27/2012 6:26:22 PM, error: Service Control Manager [7023] - The MaRdPnp service terminated with the following error: Access is denied.
    2/27/2012 6:14:22 PM, error: Service Control Manager [7023] - The Btwhid service terminated with the following error: Access is denied.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Wlsetupsvc service terminated with the following error: The system cannot find the file specified.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Uclauncherservice service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The SE2Bmdm service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The S117mdm service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The QPSched service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Qkbfiltr service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Mldserv service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The L1e service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Ihcservice service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Compbatt service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Catchme service terminated with the following error: The specified module could not be found.
    2/27/2012 6:12:52 PM, error: Service Control Manager [7023] - The Cachemgr service terminated with the following error: The specified module could not be found.
    2/24/2012 9:54:13 PM, error: Service Control Manager [7023] - The QPSched service terminated with the following error: Access is denied.
    2/24/2012 9:39:13 PM, error: Service Control Manager [7023] - The Ihcservice service terminated with the following error: Access is denied.
    2/24/2012 9:24:13 PM, error: Service Control Manager [7023] - The Catchme service terminated with the following error: Access is denied.
    2/24/2012 9:09:13 PM, error: Service Control Manager [7023] - The Cachemgr service terminated with the following error: Access is denied.
    2/24/2012 8:54:13 PM, error: Service Control Manager [7023] - The Qkbfiltr service terminated with the following error: Access is denied.
    2/24/2012 8:39:14 PM, error: Service Control Manager [7023] - The L1e service terminated with the following error: Access is denied.
    2/24/2012 8:24:13 PM, error: Service Control Manager [7023] - The Mldserv service terminated with the following error: Access is denied.
    2/24/2012 8:09:13 PM, error: Service Control Manager [7023] - The Wlsetupsvc service terminated with the following error: Access is denied.
    2/24/2012 7:56:12 PM, error: Service Control Manager [7023] - The Compbatt service terminated with the following error: Access is denied.
    2/24/2012 7:55:16 PM, error: Service Control Manager [7023] - The S117mdm service terminated with the following error: Access is denied.
    2/24/2012 7:52:36 PM, error: Service Control Manager [7023] - The HssSrv service terminated with the following error: The system cannot find the file specified.
    2/24/2012 7:52:36 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
    2/24/2012 7:52:36 PM, error: Service Control Manager [7001] - The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2/24/2012 10:24:13 PM, error: Service Control Manager [7023] - The Uclauncherservice service terminated with the following error: Access is denied.
    2/24/2012 10:23:35 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    2/24/2012 10:09:13 PM, error: Service Control Manager [7023] - The SE2Bmdm service terminated with the following error: Access is denied.
    .
    ==== End Of File ===========================
  13. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I've no idea why, but I can post the attach log file (above) but I can't copy and paste the DDS because I keep getting the server is busy error. At least I'm one more step there!
  14. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Also, Malwarebytes still gives the same error even with add-ons disabled.
  15. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    DDS File (finally!):


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Christopher Aune at 11:31:08 on 2012-02-29
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2874 [GMT -6:00]
    .
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\hasplms.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\svcs.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AudioHQ] c:\program files\creative\sblive2k\audiohq\AHQTB.EXE
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe"
    mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231220003046
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: Interfaces\{CE42E78C-ED3A-4B97-930C-1C1B4077823B} : DhcpNameServer = 192.168.1.254
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\christopher aune\application data\mozilla\firefox\profiles\qy824k2u.default\
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-5 387480]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-2-17 36000]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-18 84200]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-2-17 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-2-17 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-2-17 74640]
    R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-18 141792]
    R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2012-2-24 577536]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-18 88736]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-18 188136]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-18 56064]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-18 88736]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-5 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-5 40552]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-1-7 80392]
    .
    =============== File Associations ===============
    .
    txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1"
    .
    =============== Created Last 30 ================
    .
    2012-02-25 02:09:34 577536 ----a-w- c:\windows\svcs.exe
    2012-02-25 02:04:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-02-25 02:04:41 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2012-02-18 06:22:31 6766 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-02-18 05:56:22 -------- d-----w- c:\documents and settings\christopher aune\application data\Avira
    2012-02-18 05:55:41 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-02-18 05:55:41 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2012-02-18 05:55:40 -------- d-----w- c:\program files\Avira
    2012-02-18 05:55:40 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2012-02-18 04:36:48 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-18 04:35:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-02-18 04:35:16 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-02-16 18:14:28 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-02-16 18:14:28 3072 ------w- c:\windows\system32\iacenc.dll
    .
    ==================== Find3M ====================
    .
    2012-02-18 04:07:45 0 ----a-w- c:\windows\system32\palmusbd.dll
    2012-02-17 21:41:55 0 ----a-w- c:\windows\system32\pdframe.dll
    2012-01-25 08:43:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-31 00:31:47 286720 ----a-w- c:\windows\iun504.exe
    2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 11:31:43.54 ===============
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- someone hung up so you could get through! Good. Thank you!

    Please remove these from the Trusted Sites:
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    The security is lower in that zone- nothing needs to be there! You are giving the entire internet the okay to be in the trusted zone, so this pretty much defeats the reason for having the security!
    Click on Control Panel or Tools in IE> Security tab> Trusted Sites> Highlight and remove these sites> Apply> Okay.
    =========================
    Maybe 'should be' but isn't! Processes for both programs are loading.
    McAfee Antivirus
    1. [2011-3-18 84200]> Anti-Virus Mini-Firewall Driver from McAfee, Inc.
    2.McAfee Virtual Technition shows in installed programs. According to McAfee:
    If you are no longer running McAfee> using the uninstaller: Uninstall:
    McAfee Removal
    You will also need to uninstall the MVT in Add/Remove Programs, then use Windows Explorer to access Computer> Local Drive (C)> Programs> right click on Program folder> Delete.

    Please reboot the program when finished. You may need to boot into Safe Mode.
    ================================
    Since there is a problem with Malwarebytes, I'd like you to run the following> be sure to check the line for removal of entries it finds. If you have a lot of Tracking Cookies, I'll help you reset Cookies to prevent them:
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
    ====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===================================
    Please leave logs for SAS and Combofix in your next reply.
  17. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I was able to remove Virtual Technician, but not McAfee (which is not in the add/remove) list. I used add/remove on it awhile ago and it appeared to remove it, but the computer froze, too. Attempting the McAfee Removal Program gives me the following error:

    The log file for the McAfee Removal Program won't show either. I attempted to follow McAfees instructions on deactivating in case of an improper uninstall process, but since I don't have an account with them I can't get in to deactivate (McAfee package came with internet installation).
  18. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    As always, thanks for all the help.

    I ran SuperAntiSpyware. The version I got doesn't quite work the way you described, but it was simple enough to find the appropriate steps mentioned. There were two logs, one a quick scan (I accidentally started one, then stopped it) which I'm not bothering to post. The log of the full scan is here. Quite a few problems (including sites I don't visit!)! Supposedly the program removed them. My internet is lightning fast compared to what it was before the scan and removal. I still have to run ComboFix.

    Without further ado, here's the log:


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/06/2012 at 02:46 PM

    Application Version : 5.0.1142

    Core Rules Database Version : 8307
    Trace Rules Database Version: 6119

    Scan type : Complete Scan
    Total Scan Time : 01:58:48

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 501
    Memory threats detected : 0
    Registry items scanned : 21425
    Registry threats detected : 0
    File items scanned : 89742
    File threats detected : 173

    Adware.Tracking Cookie
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@247realmedia[1].txt [ /247realmedia ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@2o7[2].txt [ /2o7 ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ad-presence[2].txt [ /ad-presence ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ads.bridgetrack[1].txt [ /ads.bridgetrack ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ads.myadplatform[1].txt [ /ads.myadplatform ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ads.phpbb[1].txt [ /ads.phpbb ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ads.smartadx[1].txt [ /ads.smartadx ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ads.undertone[2].txt [ /ads.undertone ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@adserver.adtechus[1].txt [ /adserver.adtechus ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@adserving.claxon[2].txt [ /adserving.claxon ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@advertising[2].txt [ /advertising ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@bannertgt[2].txt [ /bannertgt ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@clicksor[1].txt [ /clicksor ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@collective-media[1].txt [ /collective-media ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@crackle[2].txt [ /crackle ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@eas.apm.emediate[1].txt [ /eas.apm.emediate ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@edgeadx[1].txt [ /edgeadx ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@insightexpressai[1].txt [ /insightexpressai ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@lucidmedia[1].txt [ /lucidmedia ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@microsoftwga.112.2o7[1].txt [ /microsoftwga.112.2o7 ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@microsoftwlmessengermkt.112.2o7[1].txt [ /microsoftwlmessengermkt.112.2o7 ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@msnportal.112.2o7[1].txt [ /msnportal.112.2o7 ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@myroitracking[1].txt [ /myroitracking ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@nextag[1].txt [ /nextag ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@oasn04.247realmedia[2].txt [ /oasn04.247realmedia ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@qnsr[1].txt [ /qnsr ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@questionmarket[1].txt [ /questionmarket ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@realmedia[2].txt [ /realmedia ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@revenue[2].txt [ /revenue ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@rotator.adjuggler[1].txt [ /rotator.adjuggler ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@trafficmp[2].txt [ /trafficmp ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@yieldmanager[1].txt [ /yieldmanager ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@adbrite[1].txt [ /adbrite ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@adecn[2].txt [ /adecn ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@ads.pointroll[1].txt [ /ads.pointroll ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@bs.serving-sys[1].txt [ /bs.serving-sys ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@interclick[1].txt [ /interclick ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@media.adsvelocity[1].txt [ /media.adsvelocity ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@mediabrandsww[1].txt [ /mediabrandsww ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@microsoftwindows.112.2o7[1].txt [ /microsoftwindows.112.2o7 ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@pointroll[2].txt [ /pointroll ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher_aune@serving-sys[1].txt [ /serving-sys ]
    C:\Documents and Settings\Christopher Aune\Cookies\JY802R84.txt [ /invitemedia.com ]
    C:\Documents and Settings\Christopher Aune\Cookies\L9G27GLC.txt [ /h.atdmt.com ]
    C:\Documents and Settings\Christopher Aune\Cookies\MQ95CV0P.txt [ /atdmt.com ]
    C:\Documents and Settings\Christopher Aune\Cookies\WF848LT5.txt [ /media6degrees.com ]
    C:\Documents and Settings\Christopher Aune\Cookies\CBPBERPJ.txt [ /ru4.com ]
    C:\Documents and Settings\Christopher Aune\Cookies\christopher aune@ak[2].txt [ /content.yieldmanager.com ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ALQ3DHVT.txt [ Cookie:system@ru4.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\V4PAY77C.txt [ Cookie:system@imrworldwide.com/cgi-bin ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2Q5CVS8F.txt [ Cookie:system@www.burstnet.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PZMV8A3P.txt [ Cookie:system@fastclick.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VO10MJN4.txt [ Cookie:system@dc.tremormedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\3F9MRQ4R.txt [ Cookie:system@pluckit.demandmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\L6WRBAOV.txt [ Cookie:system@cherrysearch.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DV2L87F9.txt [ Cookie:system@friendfinder.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZM0KGGSM.txt [ Cookie:system@dmtracker.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\X5QVNJT5.txt [ Cookie:system@tacoda.at.atwola.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\101PKC6B.txt [ Cookie:system@stat.onestat.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\9Y5MLAGZ.txt [ Cookie:system@ox-d.enveromedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\MJNAD5ZB.txt [ Cookie:system@pointroll.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\V1VT139Y.txt [ Cookie:system@myroitracking.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ES4NCP9R.txt [ Cookie:system@media6degrees.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZNI0YNVP.txt [ Cookie:system@urlwww--statcounter--com.reachlocal.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BF6481E3.txt [ Cookie:system@ar.atwola.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\K049EY8U.txt [ Cookie:system@revsci.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RFF0CMIA.txt [ Cookie:system@a1.interclick.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Z2W08WWK.txt [ Cookie:system@akamai.interclickproxy.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6ZO073A0.txt [ Cookie:system@goclicker.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Y44FJK3R.txt [ Cookie:system@marchex.bafind.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KTP4LGEQ.txt [ Cookie:system@mediadakine.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\H580BGWH.txt [ Cookie:system@atdmt.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ME3KSGP4.txt [ Cookie:system@adsonar.com/adserving ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\HR56A1HO.txt [ Cookie:system@doubleclick.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VBH9GQZQ.txt [ Cookie:system@eclickz.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\016UALFR.txt [ Cookie:system@eyewonder.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DHPJEIZY.txt [ Cookie:system@lucidmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XQKO0ALZ.txt [ Cookie:system@clicks.thespecialsearch.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LCGN9MIN.txt [ Cookie:system@keepufind.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OEA4HNHL.txt [ Cookie:system@adinterax.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ANTHRG33.txt [ Cookie:system@goodcholesterolcount.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2QAMKOOF.txt [ Cookie:system@getclicky.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\O2EH4HX0.txt [ Cookie:system@delivery.adserver.manutd.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\9A0BYKBV.txt [ Cookie:system@trafficmp.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZX7NZ43A.txt [ Cookie:system@collective-media.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\55GU0VLJ.txt [ Cookie:system@c.gigcount.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\95KJ9GHA.txt [ Cookie:system@ads.pointroll.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2T9PI632.txt [ Cookie:system@xml.prostreammedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\60FS0971.txt [ Cookie:system@search.eclickz.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2HUGQWL1.txt [ Cookie:system@amazon-adsystem.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8S9PP8CB.txt [ Cookie:system@realmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\T2CLD09M.txt [ Cookie:system@cleangreenfind.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\71SQFYBZ.txt [ Cookie:system@www.burstbeacon.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\YBHBT37V.txt [ Cookie:system@burstnet.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\WAFOTHCH.txt [ Cookie:system@adbrite.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FRD4G9V4.txt [ Cookie:system@yieldmanager.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\C87B90EJ.txt [ Cookie:system@adjuggler.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SIJRPD3H.txt [ Cookie:system@yieldmanager.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\3JK7846L.txt [ Cookie:system@adxpose.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XT3S3OK7.txt [ Cookie:system@apmebf.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\WVSEPUGG.txt [ Cookie:system@ox-d.fondnessmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0MSCQJVU.txt [ Cookie:system@ad2.adfarm1.adition.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DDC124VL.txt [ Cookie:system@pro-market.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\QVVRQ3BV.txt [ Cookie:system@casalemedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\T2KM9RCR.txt [ Cookie:system@bizzclick.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZEJ2K03R.txt [ Cookie:system@adserver.adtechus.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\O4E1CKPH.txt [ Cookie:system@questionmarket.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LQRGEX8X.txt [ Cookie:system@chitika.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7EIHO48L.txt [ Cookie:system@tribalfusion.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NBCKPO5Z.txt [ Cookie:system@statcounter.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PRFCRBBN.txt [ Cookie:system@247realmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\D2K9SWK0.txt [ Cookie:system@mediaservices-d.openxenterprise.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\QG1LBPAU.txt [ Cookie:system@adtech.de/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XT4BE634.txt [ Cookie:system@cdn.jemamedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\X9CKZR4Q.txt [ Cookie:system@clicksor.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\1H4OUXUF.txt [ Cookie:system@mm.chitika.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\J4OQ3VQ2.txt [ Cookie:system@citi.bridgetrack.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\984O9FLI.txt [ Cookie:system@findology.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\AJ0ZKTTJ.txt [ Cookie:system@d.mediadakine.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Q6BKA6F8.txt [ Cookie:system@intfind.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KF7B2D0L.txt [ Cookie:system@rotator.adjuggler.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5SEV51LG.txt [ Cookie:system@klpfind.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\AUIPWVJN.txt [ Cookie:system@trafficno.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6UO2RTW2.txt [ Cookie:system@bestsitesearch.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\4UFCHH30.txt [ Cookie:system@burstbeacon.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\13IGOGYR.txt [ Cookie:system@littlegreenfind.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\48Y9V9OU.txt [ Cookie:system@ads.bridgetrack.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OM23E5DP.txt [ Cookie:system@oceanbluesearch.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ADZODQA1.txt [ Cookie:system@static.getclicky.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RZP16H5E.txt [ Cookie:system@ggpublishing.rotator.hadj7.adjuggler.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\N3NJ2TI9.txt [ Cookie:system@indigofind.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DGVE671F.txt [ Cookie:system@micklemedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BJONSUMG.txt [ Cookie:system@adserver2.eclickz.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FFR9OY0V.txt [ Cookie:system@crackle.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KTND1CJC.txt [ Cookie:system@filter.plusfind.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\P3PA1OGH.txt [ Cookie:system@www.findallofittoday.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VSE731SJ.txt [ Cookie:system@tag.2bluemedia.hiro.tv/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\1FG7A5HD.txt [ Cookie:system@xml.trafficengine.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FIWN4S6W.txt [ Cookie:system@content.yieldmanager.com/ak/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\UUOTEPWZ.txt [ Cookie:system@fls.doubleclick.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VWP1I8J7.txt [ Cookie:system@content.yieldmanager.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\R7M88W3X.txt [ Cookie:system@city-seek.com/click/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\QONWXMF9.txt [ Cookie:system@citygridmedia.com/ ]
    cdn.insights.gravity.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    cdn1.static.pornhub.phncdn.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    media.ign.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    media.nbclosangeles.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    media1.break.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    media10.washingtonpost.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    msnbcmedia.msn.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    richmedia247.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    staticedge.hardsextube.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    vidii.hardsextube.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    www.soundclick.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]
    xxxbunker.com [ C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\E28VUTLW ]

    Trojan.Agent/Gen-Haote
    C:\PROGRAM FILES\2K GAMES\X-COM TERROR FROM THE DEEP\UNINSTALL.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\START MENU\PROGRAMS\2K GAMES\X-COM TERROR FROM THE DEEP\UNINSTALL X-COM TERROR FROM THE DEEP.LNK
    C:\PROGRAM FILES\2K GAMES\X-COM UFO DEFENSE\UNINSTALL.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\START MENU\PROGRAMS\2K GAMES\X-COM UFO DEFENSE\UNINSTALL X-COM UFO DEFENSE.LNK

    Trojan.Agent/Gen-Sirefef
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP54\A0040296.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP54\A0040316.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP55\A0041000.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP55\A0042000.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043000.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043076.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043106.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043139.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043183.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043192.SYS
  19. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Oh, and one quick thing. SuperAntiSpyware keeps giving me a popup above the tray toolbar that there are new updates available despite my updating it. Maybe one came out right after I did so or something, or should I just ignore that now that I already did the scan?

    Also, just as additional information on the computer, while the internet started running faster, the popups still showed, including one that wouldn't permit me to close Firefox normally.

    Running combofix now.
  20. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    ComboFix log:

    ComboFix 12-03-06.01 - Christopher Aune 03/06/2012 15:14:00.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2874 [GMT -6:00]
    Running from: c:\documents and settings\Christopher Aune\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Christopher Aune\WINDOWS
    c:\windows\$NtUninstallKB10740$\2391593169
    c:\windows\$NtUninstallKB10740$\3007683249\@
    c:\windows\$NtUninstallKB10740$\3007683249\cfg.ini
    c:\windows\$NtUninstallKB10740$\3007683249\Desktop.ini
    c:\windows\$NtUninstallKB10740$\3007683249\L\enlimnon
    c:\windows\$NtUninstallKB10740$\3007683249\oemid
    c:\windows\$NtUninstallKB10740$\3007683249\U\00000001.@
    c:\windows\$NtUninstallKB10740$\3007683249\U\00000002.@
    c:\windows\$NtUninstallKB10740$\3007683249\U\00000004.@
    c:\windows\$NtUninstallKB10740$\3007683249\U\80000000.@
    c:\windows\$NtUninstallKB10740$\3007683249\U\80000004.@
    c:\windows\$NtUninstallKB10740$\3007683249\U\80000032.@
    c:\windows\$NtUninstallKB10740$\3007683249\version
    c:\windows\EventSystem.log
    c:\windows\svcs.exe
    c:\windows\system32\dllcache\dlimport.exe
    c:\windows\system32\palmusbd.dll
    c:\windows\system32\pdframe.dll
    c:\windows\system32\SET17.tmp
    .
    Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
    Restored copy from - The cat found it :)
    c:\windows\system32\drivers\i8042prt.sys was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_FRAMEWORK
    -------\Legacy_NETWORKLOG
    -------\Service_framework
    -------\Service_NetworkLog
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-06 21:21 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-03-06 21:10 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-03-06 18:44 . 2012-03-06 18:44 -------- d-----w- c:\documents and settings\Christopher Aune\Application Data\SUPERAntiSpyware.com
    2012-03-06 18:43 . 2012-03-06 18:44 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-03-06 18:43 . 2012-03-06 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-02-25 02:04 . 2012-02-25 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2012-02-25 02:04 . 2012-02-25 02:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-02-18 06:22 . 2012-02-18 06:22 6766 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-02-18 05:56 . 2012-02-18 05:56 -------- d-----w- c:\documents and settings\Christopher Aune\Application Data\Avira
    2012-02-18 05:55 . 2012-02-25 01:58 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2012-02-18 05:55 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2012-02-18 05:55 . 2011-09-16 05:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-02-18 05:55 . 2012-02-18 05:55 -------- d-----w- c:\program files\Avira
    2012-02-18 05:55 . 2012-02-18 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2012-02-18 04:36 . 2012-03-06 21:13 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-18 04:35 . 2012-02-18 04:35 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-02-17 21:18 . 2012-02-17 21:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-02-16 18:14 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-02-16 18:14 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-25 08:43 . 2012-01-25 08:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-31 00:31 . 2011-12-31 00:34 286720 ----a-w- c:\windows\iun504.exe
    2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AudioHQ"="c:\program files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" [2000-05-11 205312]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
    "SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
    "MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2009-11-30 190024]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
    "AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\Christopher Aune\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\WINDOWS\\system32\\hasplms.exe"=
    "c:\\Program Files\\Pidgin\\pidgin.exe"=
    "c:\\Program Files\\X-Chat 2\\xchat.exe"=
    "c:\\Program Files\\WarZone\\LobbyClient.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\LucasArts\\Outlaws\\olwin.exe"=
    "c:\\Program Files\\GOGcom\\Sid Meiers Alpha Centauri\\terran.exe"=
    "c:\\Program Files\\MySQL\\MySQL Server 5.1\\bin\\mysqld.exe"=
    "c:\\Program Files\\MySQL\\MySQL Server 5.5\\bin\\mysqld.exe"=
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2/17/2012 11:55 PM 36000]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/17/2012 11:55 PM 86224]
    R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [1/7/2009 12:03 PM 80392]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    apache
    vstor2-ws60
    ati2mtaa
    regspy
    artdhcp
    aswrdr
    AtlsAud
    wdm_au8820
    CamAv
    tosrfusb
    SunkFilt39
    wg5n
    videoacceleratorengine
    DCamUSBDXGTech
    svcwmu
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.25.1
    FF - ProfilePath - c:\documents and settings\Christopher Aune\Application Data\Mozilla\Firefox\Profiles\qy824k2u.default\
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    .
    ------- File Associations -------
    .
    txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Drakensang 2: River of Time - c:\program files\THQ\Drakensang 2 River of Time\${UNINSTALL_LOG}.exe
    AddRemove-X-Com Terror From the Deep - c:\program files\2K Games\X-Com Terror From the Deep\Uninstall.exe
    AddRemove-X-Com UFO Defense - c:\program files\2K Games\X-Com UFO Defense\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-06 15:29
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\windows\$NtUninstallKB10740$:SummaryInformation 0 bytes hidden from API
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(548)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2300)
    c:\windows\system32\WININET.dll
    c:\program files\MessengerPlus! 3\MsgPlusLoader.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\devldr32.exe
    c:\windows\system32\devldr32.exe
    c:\windows\system32\devldr32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\windows\system32\hasplms.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\SOUNDMAN.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\avira\antivir desktop\ipmGui.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-06 15:31:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-06 21:31
    .
    Pre-Run: 378,672,861,184 bytes free
    Post-Run: 378,968,547,328 bytes free
    .
    - - End Of File - - 7E8258FE5A01DFA866B6ACF750016BF0
  21. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Quick note: Avira (which reactivated itself upon reboot) still detects stuff. I've been ignoring messages from Avire because there's been no success in trying to remove anything with it as yet, so I figure if it's not helping the problem, it's best to leave it alone until I go through any processes you instruct me to do. Hope I did it right!

    Okay, I did all the steps that I could do. Waiting on a reply now. Thanks once again.
  22. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Just a quick side note...

    On the computer I installed Flash Disinfector, about five days later (today) AVG said it detected something bad (Flash Disinfector) and that I should remove it. I let it since I was done with it anyway. I thought perhaps that some anti-virus might think of it as a problem program. AVG also detected something called "password finder". That was removed no problem. I ran Malwarebytes full scan to be sure and it picked up on file (which I had it remove), shown in this log:

    (I posted it here just because I didn't want to start a new thread if I didn't have to.)




    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.07.02

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 7.0.5730.13
    V. Aune :: NORDSKA [administrator]

    3/7/2012 7:46:19 AM
    mbam-log-2012-03-07 (07-46-19).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 316728
    Time elapsed: 1 hour(s), 35 minute(s), 1 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:53636 -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please revisit the directions I left for the Flash Disinfector and note:
    =======================================
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    ======================================
    If 3rd party Cookies aren't blocked, you will get the Cookies from ads and banners on other sites:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    =======================================
    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===========================================
    You'll be happy to know that Trojan.Agent/Gen-Sirefef (AKA Zero Access Rootkit) is only indicated in System Volume. It is not active in the system. This is where the restore points are kept and I will have you set clean restore point and drop old ones when we finish.
    ==========================================
    I'm going to take a break for dinner. I'll try to get back to review Combofix later. If I don't, I'll do it in the morning.
  24. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I already have AdBlock, so that's one less step to do. :)

    I'll get to the others as soon as I can. Thanks again!
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There is an AdBlockPlus and EasyList adds more domains to block.

    Is this thread only for 1 computer?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.