TechSpot

Virus? Safe mode screen is 3/4 blocked

Inactive
By steveow
Nov 22, 2010
Topic Status:
Not open for further replies.
  1. 1st, Many thanks to be able to come here for help....again.

    My teenage son and his buddies really did it this time.
    They were browsing smut on 'my' PC when I was out of town and my side business is stalled until I get it fixed.

    I have:
    Windows XP Pro on Sony Vaio
    Internet Explorer
    I have Malware Bytes, Avira Anti Virus PE and SuperAntispyware installed when you folks helped me out in 08' with the 8 steps. Computer has worked like a charm ever since.

    NOW
    When I turn on the PC I only get "Think Point" on my screen....nothing else. Now the problem I'm having when I go to Safe Mode hoping to try and fix this is that same Think Point picture (about 8"X11" sideways) is in the middle of my screen...can't see anything behind it. I've been able to run Malware on Quick Scan because I can see the option to the left, but when I click full scan it will not work . When I opened Avira I did see Avira's start scan option poking out the side of the Think Point banner, but it doesn't do anything when I click it.
    My desktop icons only show in Safe Mode, but I have to do Ctrl/Alt/Del and then X it out and then the desktop pops up......strange.

    Many thanks in advance.
    steveow
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    See how much you can do of this:
    ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

    The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe so we will stop it:

    1. Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    2. End Task
      Click on Start> Run> type in taskmgr> OK.
      Double click on the frame at the top of the Processes column to sort
      Find hotfix.exe and click to Highlight
      Click on End Task
    3. Unhide
      Click on Start> Search> All Files and Folders
      Go up to Tools> Folder Options
      Click on the View tab
      Check 'Show hidden files and folders'
      Uncheck 'Hide protected operating system files (Recommended)'
      Click on OK> Apply> OK
    4. Search
      Go to Search> 'all or part of the name'
      Type in hotfix.exe
      (It should be found in this folder: C:\Documents and Settings\User\Application Data\hotfix.exe
      Do a right click> Delete on the file
    5. Rehide the files and folders.
    Close
    ===============================================
    Reboot the computer back into Normal Mode
    ==============================================
     
  3. steveow

    steveow TS Rookie Topic Starter Posts: 69

    awesome!!!!!
    It worked. The only thing was #4...after App Data\hotfix.exe there wasn't a hotfix.exe in there. A search found nothing either.

    I restarted and "Think Point" banner is still on Normal Mode's screen. I'm assuming you're guiding me from here?

    sincerely, steveow
     
  4. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Bobbye,
    Ok, I assumed to do the same in normal mode and I'm back at my own computer. :)
    In the meantime I'm gonna run SuperAnti etc. and wait for your next directions.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, let's do the rest - these have changed a bit since you last used: please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply. We also required logs to be pasted in the reply now and multiple replies can be used if needed. We'll find and get rid of the banner. In fact, I'll give you some tips that would have blocked it in the first place! Remind me.

    There will be some other entries to remove, so let's get these logs out first.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  6. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Virus? Safe mode is 3/4 blocked

    Back after the holiday.

    1st I'll give a little info before the pastes.
    I'm still having intermittant internet connections. Safe mode will not connect. In Normal Mode sometimes the desktop is blank except for the background picture. Connection to the net via "Start to Internet Explorer" will Redirect me to "You're a $1000 Winner at Walmart". Connection via desktop Yahoo Email does not redirct me, but this only worked AFTER I ran SuperAntiSpyware in Safe Mode which found 120 infections and that allowed me to connect to the internet via Normal Mode. Hope this info helps some.

    (Note: I'm not quite sure if you need the DDS file that needs to be attached via Zip folder....if so, how do I Zip it? I did attach the other one.)

    Malwarebytes' Anti-Malware 1.34
    Database version: 1778
    Windows 5.1.2600 Service Pack 3

    11/29/2010 2:25:41 PM
    mbam-log-2010-11-29 (14-25-41).txt

    Scan type: Quick Scan
    Objects scanned: 130122
    Time elapsed: 23 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    **********************************************************************************
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-29 20:43:01
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD2000JD-98HBB0 rev.08.02D08
    Running: hj7ml28w.exe; Driver: C:\DOCUME~1\STEVER~1\LOCALS~1\Temp\kxdiyfoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 390721712 (+255): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A306292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A306292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A306292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A306292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A306292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A306292
    Device \Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
    ******************************************************************************************
    **DDS**
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\COMODO\SafeSurf\cssurf.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\V CAST Media Manager\MEMonitor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\steve r warner\Desktop\dds.scr
    C:\WINDOWS\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {F35CE83E-9EBF-40D5-AE87-53F982389740} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion deluxe 3.0\calcheck.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
    mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
    mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\stever~1\startm~1\programs\startup\vcastm~1.lnk - c:\program files\v cast media manager\MEMonitor.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    AppInit_DLLs: c:\windows\system32\cssdll32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2010-11-30 00:34:33 -------- d-----w- C:\Adobe
    2010-11-20 01:35:35 239 ----a-w- c:\docume~1\stever~1\applic~1\scgdfgasfbh.bat

    ==================== Find3M ====================


    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2000JD-98HBB0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-17

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A310292
    user != kernel MBR !!!
    sectors 390721966 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 21:18:29.70 ===============
     
  7. steveow

    steveow TS Rookie Topic Starter Posts: 69

    I'm on a different computer.
    What a mess! The earlier pastes (scans from last night) may be of little consequence because now I can't even connect to the net without being redirected to the $1000 Walmart Winner. Now after each redirection I had to unplug the computer due to freeze up and then I ran SuperAntiSpyware each time and it found 70, 35 and 27 infections . At this time I'm running the Full Scan and it's finding more infections. Each time the Malware Scan and Avira Scan found zero infections. Interesting that I couldn't update Malwarebytes because it didn't ever do anything, but after running the first SuperSpyware I opened Malware and this time it ran updates. Either way there's was still no infections.
    Here's something interesting regarding Firewall....during one of the restarts, which takes at least 5 minutes, I noticed my Comodo icon on the bottom right said my firewall was disabled. I opened it up and it's checked Enabled.

    I hope some of this info helps.
    signed, *^&%!!!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Download the following program to a flash drive, then run it on the problem computer:

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ===========================================
    If you can get on and stay long enough, run this online virus scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  9. steveow

    steveow TS Rookie Topic Starter Posts: 69

    thanks, Bobbye

    It's 7:40 PST.
    I'll give it a go on my computer.

    FYI as it may be of importance.
    Last night I just unplugged the internet cable because it seemed infections were starting right after a reboot or a start without touching anything.
    ****So after I unplugged the cable I ran Avira, MalwareBytes Full Scan and SuperAntiSpyware Full Scan. Avira found nothing, but Malware Full Scan found a Trogan that Quick Scan didn't find and of course SASpyware found 17 more infections. With the internet unplugged I ran MalwareBytes, TFC, GMER and DDS. There were RootKit problems. I wasn't sure whether to try and paste or not.
     
  10. steveow

    steveow TS Rookie Topic Starter Posts: 69

    ESET paste below.

    Still being redirected to "Walmart 1000 dollar Winner", however, my computer is now running faster and I'm on it :)

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-02 05:18:54
    # local_time=2010-12-01 09:18:54 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1280 16777215 100 0 0 0 0 0
    # compatibility_mode=1792 16777191 100 0 56534871 56534871 0 0
    # compatibility_mode=3586 16764926 0 1 116460142 116460142 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=108069
    # found=1
    # cleaned=1
    # scan_time=3152
    C:\Documents and Settings\steve's other documents\Local Settings\Application Data\CyberDefender\sssTbar.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    esets_scanner_update returned -1 esets_gle=53251
    ******************************************************************************************************************
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please do not start any other threads about this problem. The second thread has been closed.

    Considerable searching brought about some sites to put in the restricted zone:
    Access Internet Options through the Control Panel or Tools in IE: Security tab> Restricted Sites> put each of the following in exactly as I have them> Click on Block after each:
    *.cowonglobal.com
    *.pcmike.com
    *.walmart.com
    *.pcmike.com

    Click on Apply> OK

    If you get a message saying any are already in another zone, Exit the Restricted Zone and enter the Trusted Sites> Sites> Remove all content in this zone.
    Then put the above sites in the Restricted Zone.

    Do you have or are you using the Cowon's X7 PMS? It's portable media like a Smart Phone

    After you do this, you need to delete all of your Cookies and temporary internet files. This and the above can all be done disconnected from the internet or you can boot into Safe Mode

    I need to see the TDSSKiller log.
    When you connect again to the internet, I'd like a new scan with Eset online virus scanner. Do not check for removal of the entries. I can do that with a special program that will remove associated files.
    ==============================================
    Just so you know: I do find it aggravating though that you are gone for a week, then come back and post "Back after the holiday".
    19 hours ago I asked you to run TDSSKiller.zip and the Eset online scan. You disconnected from the internet and did not run it. The directions for the Eset scan state:
    but the entries it found show "(cleaned by deleting - quarantined)"

    You have a TDL4 rootkit malware infection
    Instead of posting the log for me to check, you state:
    Ignore the Superantispyware find of Tracking Cookies. They are insignificant right now. Try to get out of panic mode and work with me to get the system cleaned up. Right now you aren't able to determine what is and is not important now

    Hopefully the air is clear and we can proceed. Rootkits are very tenacious malware. They are not easy to remove and special programs have to be run.
     
     
  12. steveow

    steveow TS Rookie Topic Starter Posts: 69

    I apologize for my apparent ADHD. Running back and forth to my friends PC was crazy.
    ==================================================================
    2010/12/02 17:17:39.0234 SystemInfo:
    2010/12/02 17:17:39.0234
    2010/12/02 17:17:39.0234 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/02 17:17:39.0234 Product type: Workstation
    2010/12/02 17:17:39.0234 ComputerName: STEVE-0B6026E53
    2010/12/02 17:17:39.0234 UserName: steve r warner
    2010/12/02 17:17:39.0234 Windows directory: C:\WINDOWS
    2010/12/02 17:17:39.0234 System windows directory: C:\WINDOWS
    2010/12/02 17:17:39.0234 Processor architecture: Intel x86
    2010/12/02 17:17:39.0234 Number of processors: 2
    2010/12/02 17:17:39.0234 Page size: 0x1000
    2010/12/02 17:17:39.0234 Boot type: Normal boot
    2010/12/02 17:17:39.0234 ================================================================================
    2010/12/02 17:17:39.0515 Initialize success
    2010/12/02 17:17:44.0359 ================================================================================
    2010/12/02 17:17:44.0359 Scan started
    2010/12/02 17:17:44.0359 Mode: Manual;
    2010/12/02 17:17:44.0359 ================================================================================
    2010/12/02 17:17:46.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/02 17:17:46.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/02 17:17:46.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/02 17:17:46.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/02 17:17:46.0593 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2010/12/02 17:17:47.0000 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/02 17:17:47.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/02 17:17:47.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/02 17:17:47.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/02 17:17:47.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/02 17:17:47.0718 avgio (afa456a6210abe5798561a5758517340) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
    2010/12/02 17:17:47.0828 avgntflt (906f73c4f6b8ba5daabc41a1f04cecfe) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
    2010/12/02 17:17:47.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/02 17:17:48.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/02 17:17:48.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/02 17:17:48.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/02 17:17:48.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/02 17:17:48.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/02 17:17:48.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/02 17:17:48.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/02 17:17:49.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/02 17:17:49.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/02 17:17:49.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/02 17:17:49.0375 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/02 17:17:49.0500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/02 17:17:49.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/02 17:17:49.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/02 17:17:49.0734 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/02 17:17:49.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/02 17:17:49.0921 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
    2010/12/02 17:17:50.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/02 17:17:50.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/02 17:17:50.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/12/02 17:17:50.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/02 17:17:50.0359 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
    2010/12/02 17:17:50.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/02 17:17:50.0546 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/02 17:17:50.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/02 17:17:50.0890 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/02 17:17:50.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/02 17:17:51.0234 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/12/02 17:17:51.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/02 17:17:51.0406 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/02 17:17:51.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/02 17:17:51.0609 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/02 17:17:51.0687 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/02 17:17:51.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/02 17:17:51.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/02 17:17:51.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/02 17:17:51.0984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/02 17:17:52.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/02 17:17:52.0109 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/02 17:17:52.0171 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/02 17:17:52.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/02 17:17:52.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/02 17:17:52.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/02 17:17:53.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/02 17:17:53.0468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/02 17:17:53.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/02 17:17:53.0703 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/02 17:17:53.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/02 17:17:53.0937 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/02 17:17:54.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/02 17:17:54.0078 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/02 17:17:54.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/02 17:17:54.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/02 17:17:54.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/02 17:17:54.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/02 17:17:54.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/02 17:17:54.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/02 17:17:54.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/02 17:17:54.0656 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/02 17:17:54.0703 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/02 17:17:54.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/02 17:17:54.0937 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/02 17:17:55.0000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/02 17:17:55.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/02 17:17:55.0203 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/02 17:17:55.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/02 17:17:55.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/02 17:17:55.0437 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/02 17:17:55.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/02 17:17:55.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/02 17:17:55.0671 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/02 17:17:55.0750 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/02 17:17:55.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2010/12/02 17:17:55.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/02 17:17:56.0343 pfc (957b82ec80ad7ead64e5e47df6b0dc40) C:\WINDOWS\system32\drivers\pfc.sys
    2010/12/02 17:17:56.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/02 17:17:56.0531 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/02 17:17:56.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/02 17:17:56.0687 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/02 17:17:56.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/02 17:17:57.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/02 17:17:57.0125 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/02 17:17:57.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/02 17:17:57.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/02 17:17:57.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/02 17:17:57.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/02 17:17:57.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/02 17:17:57.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/02 17:17:57.0687 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2010/12/02 17:17:57.0796 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2010/12/02 17:17:58.0000 SASDIFSV (c030c9a39e85b6f04a8dd25d1a50258a) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/12/02 17:17:58.0062 SASENUM (e9c2d75c748c3f0a4c34d6cf2ae1d754) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2010/12/02 17:17:58.0140 SASKUTIL (64c100dbf57c6cb6e7d5d24153f5e444) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2010/12/02 17:17:58.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/02 17:17:58.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/12/02 17:17:58.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/02 17:17:58.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/02 17:17:58.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/02 17:17:58.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/02 17:17:59.0046 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    2010/12/02 17:17:59.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/02 17:17:59.0218 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/02 17:17:59.0484 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/02 17:17:59.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/02 17:17:59.0703 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/02 17:17:59.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/02 17:17:59.0843 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/02 17:18:00.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/02 17:18:00.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/02 17:18:00.0312 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    2010/12/02 17:18:00.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/02 17:18:00.0500 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    2010/12/02 17:18:00.0578 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/02 17:18:00.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/02 17:18:00.0718 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    2010/12/02 17:18:00.0812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/02 17:18:00.0890 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/02 17:18:01.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/02 17:18:01.0078 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/02 17:18:01.0140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/02 17:18:01.0281 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/02 17:18:01.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/02 17:18:01.0546 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/02 17:18:01.0812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/12/02 17:18:01.0953 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/02 17:18:02.0062 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/02 17:18:02.0328 ================================================================================
    2010/12/02 17:18:02.0328 Scan finished
    2010/12/02 17:18:02.0328 ================================================================================
    2010/12/02 17:17:39.0234 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
    2010/12/02 17:17:39.0234 ================================================================================
    2010/12/02 17:17:39.0234 SystemInfo:
    2010/12/02 17:17:39.0234
    2010/12/02 17:17:39.0234 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/02 17:17:39.0234 Product type: Workstation
    2010/12/02 17:17:39.0234 ComputerName: STEVE-0B6026E53
    2010/12/02 17:17:39.0234 UserName: steve r warner
    2010/12/02 17:17:39.0234 Windows directory: C:\WINDOWS
    2010/12/02 17:17:39.0234 System windows directory: C:\WINDOWS
    2010/12/02 17:17:39.0234 Processor architecture: Intel x86
    2010/12/02 17:17:39.0234 Number of processors: 2
    2010/12/02 17:17:39.0234 Page size: 0x1000
    2010/12/02 17:17:39.0234 Boot type: Normal boot
    2010/12/02 17:17:39.0234 ================================================================================
    2010/12/02 17:17:39.0515 Initialize success
    2010/12/02 17:17:44.0359 ================================================================================
    2010/12/02 17:17:44.0359 Scan started
    2010/12/02 17:17:44.0359 Mode: Manual;
    2010/12/02 17:17:44.0359 ================================================================================
    2010/12/02 17:17:46.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/02 17:17:46.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/02 17:17:46.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/02 17:17:46.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/02 17:17:46.0593 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2010/12/02 17:17:47.0000 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/02 17:17:47.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/02 17:17:47.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/02 17:17:47.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/02 17:17:47.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/02 17:17:47.0718 avgio (afa456a6210abe5798561a5758517340) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
    2010/12/02 17:17:47.0828 avgntflt (906f73c4f6b8ba5daabc41a1f04cecfe) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
    2010/12/02 17:17:47.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/02 17:17:48.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/02 17:17:48.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/02 17:17:48.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/02 17:17:48.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/02 17:17:48.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/02 17:17:48.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/02 17:17:48.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/02 17:17:49.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/02 17:17:49.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/02 17:17:49.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/02 17:17:49.0375 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/02 17:17:49.0500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/02 17:17:49.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/02 17:17:49.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/02 17:17:49.0734 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/02 17:17:49.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/02 17:17:49.0921 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
    2010/12/02 17:17:50.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/02 17:17:50.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/02 17:17:50.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/12/02 17:17:50.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/02 17:17:50.0359 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
    2010/12/02 17:17:50.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/02 17:17:50.0546 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/02 17:17:50.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/02 17:17:50.0890 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/02 17:17:50.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/02 17:17:51.0234 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/12/02 17:17:51.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/02 17:17:51.0406 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/02 17:17:51.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/02 17:17:51.0609 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/02 17:17:51.0687 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/02 17:17:51.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/02 17:17:51.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/02 17:17:51.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/02 17:17:51.0984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/02 17:17:52.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/02 17:17:52.0109 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/02 17:17:52.0171 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/02 17:17:52.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/02 17:17:52.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/02 17:17:52.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/02 17:17:53.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/02 17:17:53.0468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/02 17:17:53.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/02 17:17:53.0703 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/02 17:17:53.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/02 17:17:53.0937 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/02 17:17:54.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/02 17:17:54.0078 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/02 17:17:54.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/02 17:17:54.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/02 17:17:54.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/02 17:17:54.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/02 17:17:54.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/02 17:17:54.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/02 17:17:54.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/02 17:17:54.0656 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/02 17:17:54.0703 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/02 17:17:54.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/02 17:17:54.0937 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/02 17:17:55.0000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/02 17:17:55.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/02 17:17:55.0203 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/02 17:17:55.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/02 17:17:55.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/02 17:17:55.0437 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/02 17:17:55.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/02 17:17:55.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/02 17:17:55.0671 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/02 17:17:55.0750 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/02 17:17:55.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2010/12/02 17:17:55.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/02 17:17:56.0343 pfc (957b82ec80ad7ead64e5e47df6b0dc40) C:\WINDOWS\system32\drivers\pfc.sys
    2010/12/02 17:17:56.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/02 17:17:56.0531 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/02 17:17:56.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/02 17:17:56.0687 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/02 17:17:56.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/02 17:17:57.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/02 17:17:57.0125 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/02 17:17:57.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/02 17:17:57.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/02 17:17:57.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/02 17:17:57.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/02 17:17:57.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/02 17:17:57.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/02 17:17:57.0687 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2010/12/02 17:17:57.0796 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2010/12/02 17:17:58.0000 SASDIFSV (c030c9a39e85b6f04a8dd25d1a50258a) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/12/02 17:17:58.0062 SASENUM (e9c2d75c748c3f0a4c34d6cf2ae1d754) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2010/12/02 17:17:58.0140 SASKUTIL (64c100dbf57c6cb6e7d5d24153f5e444) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2010/12/02 17:17:58.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/02 17:17:58.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/12/02 17:17:58.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/02 17:17:58.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/02 17:17:58.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/02 17:17:58.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/02 17:17:59.0046 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    2010/12/02 17:17:59.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/02 17:17:59.0218 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/02 17:17:59.0484 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/02 17:17:59.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/02 17:17:59.0703 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/02 17:17:59.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/02 17:17:59.0843 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/02 17:18:00.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/02 17:18:00.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/02 17:18:00.0312 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    2010/12/02 17:18:00.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/02 17:18:00.0500 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    2010/12/02 17:18:00.0578 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/02 17:18:00.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/02 17:18:00.0718 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    2010/12/02 17:18:00.0812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/02 17:18:00.0890 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/02 17:18:01.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/02 17:18:01.0078 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/02 17:18:01.0140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/02 17:18:01.0281 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/02 17:18:01.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/02 17:18:01.0546 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/02 17:18:01.0812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/12/02 17:18:01.0953 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/02 17:18:02.0062 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/02 17:18:02.0328 ================================================================================
    2010/12/02 17:18:02.0328 Scan finished
    2010/12/02 17:18:02.0328 ================================================================================
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-03 01:06:20
    # local_time=2010-12-02 05:06:20 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1280 16777215 100 0 0 0 0 0
    # compatibility_mode=1792 16777175 100 0 56606217 56606217 0 0
    # compatibility_mode=3586 16764926 0 1 116531488 116531488 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=114889
    # found=7
    # cleaned=0
    # scan_time=3052
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I
     
  13. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Here's the ESET scan:

    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-03 01:06:20
    # local_time=2010-12-02 05:06:20 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1280 16777215 100 0 0 0 0 0
    # compatibility_mode=1792 16777175 100 0 56606217 56606217 0 0
    # compatibility_mode=3586 16764926 0 1 116531488 116531488 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=114889
    # found=7
    # cleaned=0
    # scan_time=3052
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I

    I think it was too long, so I added this second reply.

    Thanks,
    steveow
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Was there anything after this in the TDSSKiller log?
    2010/12/02 17:18:02.0328 =======================
    2010/12/02 17:18:02.0328 Scan finished
    2010/12/02 17:18:02.0328 =========================================
    But immediately following the above is: esets_scanner_update returned -1 esets_gle=53251 and another Eset log in the next post.
    The log you left appears to have several sections saying TDSS rootkit removing tool 2.4.10.0. The end should show what was found and the action taken. That past is missing

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta 
      C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta 
      C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta 
      C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta 
      C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta 
      C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta 
      C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    What is the status of the system now? Any changes? Did the restrictions I had you put in stop the Walmart popup?
     
  15. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Got the Paste below.
    Sorry about the missing paste. It appeared to be too long and I thought I split it up correctly.
    Anyway, my computer is working at lightening speed once again. Thank you, Bobbye.
    No more popups or spying etc. and Avira is automatically updating like it used to.

    You mentioned in your first post to remind you on how to stop this from happening in the first place. **Oh, I'm not running Cowon's X7 PMS.
    Thanks so much.

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta moved successfully.
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta moved successfully.
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta moved successfully.
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta moved successfully.
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta moved successfully.
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta moved successfully.
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: All Users.WINDOWS

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Gabriel Warner
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 146097451 bytes
    ->Flash cache emptied: 9480 bytes

    User: Owner

    User: steve r warner
    ->Temp folder emptied: 326658076 bytes
    ->Temporary Internet Files folder emptied: 19124968 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 18458 bytes

    User: Steve Warner
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: steve's documents

    User: steve's other documents
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 13330073 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 2482589 bytes

    Total Files Cleaned = 484.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12032010_221133

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    So Walmart finally packed up and left! Awesome! Run this last scan for me and then I'l have you remove the cleaning tools and logs:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  17. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:22:11 PM, on 12/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\COMODO\SafeSurf\cssurf.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\V CAST Media Manager\MEMonitor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\steve r warner\Desktop\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
    O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - Startup: V CAST Media Monitor.lnk = C:\Program Files\V CAST Media Manager\MEMonitor.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
    O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

    --
    End of file - 9302 bytes
     
  18. steveow

    steveow TS Rookie Topic Starter Posts: 69

    ***** Bobbye****
    My side business is custom harmonica microphones and vintage mics and a little while ago I was searching for a rare mic (Shure PE5h) and I ended up getting hit with a few virus warnings from Avira. I immediately closed all programs and ran another virus scan that found the other 2. I assume all is good, but I pasted here to see if you think all is ok.

    The highlighted link took me to udu.3.3web.me/Shure-PE5h


    Avira AntiVir Personal
    Report file date: Saturday, December 04, 2010 18:52

    Scanning for 3118676 virus strains and unwanted programs.

    Licensed to: Avira AntiVir Personal - FREE Antivirus
    Serial number: 0000149996-ADJIE-0000001
    Platform: Windows XP
    Windows version: (Service Pack 3) [5.1.2600]
    Boot mode: Normally booted
    Username: SYSTEM
    Computer name: STEVE-0B6026E53

    Version information:
    BUILD.DAT : 8.2.0.354 17048 Bytes 2009/10/23 13:15:00
    AVSCAN.EXE : 8.1.4.10 315649 Bytes 2008/11/18 17:21:26
    AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008/05/26 16:56:40
    LUKE.DLL : 8.1.4.5 164097 Bytes 2008/06/12 21:44:19
    LUKERES.DLL : 8.1.4.0 12033 Bytes 2008/05/26 16:58:52
    ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 2009/11/06 03:47:07
    ANTIVIR1.VDF : 7.10.13.83 22449008 Bytes 2010/11/02 20:36:06
    ANTIVIR2.VDF : 7.10.14.181 1668000 Bytes 2010/12/03 05:15:49
    ANTIVIR3.VDF : 7.10.14.189 37888 Bytes 2010/12/03 05:15:50
    Engineversion : 8.2.4.120
    AEVDF.DLL : 8.1.2.1 106868 Bytes 2010/08/31 18:39:53
    AESCRIPT.DLL : 8.1.3.48 1286524 Bytes 2010/12/03 04:07:56
    AESCN.DLL : 8.1.7.2 127349 Bytes 2010/11/22 23:17:29
    AESBX.DLL : 8.1.3.2 254324 Bytes 2010/11/22 23:17:28
    AERDL.DLL : 8.1.9.2 635252 Bytes 2010/09/22 17:14:05
    AEPACK.DLL : 8.2.4.1 512375 Bytes 2010/12/03 04:07:52
    AEOFFICE.DLL : 8.1.1.10 201084 Bytes 2010/11/22 23:17:26
    AEHEUR.DLL : 8.1.2.52 3109238 Bytes 2010/12/04 05:16:01
    AEHELP.DLL : 8.1.16.0 246136 Bytes 2010/12/03 04:07:38
    AEGEN.DLL : 8.1.5.0 397685 Bytes 2010/12/03 04:07:36
    AEEMU.DLL : 8.1.3.0 393589 Bytes 2010/11/22 23:17:11
    AECORE.DLL : 8.1.19.0 196984 Bytes 2010/12/03 04:07:34
    AEBB.DLL : 8.1.1.0 53618 Bytes 2010/08/31 18:39:27
    AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008/07/09 17:40:05
    AVPREF.DLL : 8.0.2.0 38657 Bytes 2008/05/16 18:28:01
    AVREP.DLL : 8.0.0.7 159784 Bytes 2010/08/31 18:39:26
    AVREG.DLL : 8.0.0.1 33537 Bytes 2008/05/09 20:26:40
    AVARKT.DLL : 1.0.0.23 307457 Bytes 2008/02/12 17:29:23
    AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008/06/12 21:27:49
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 2010/10/12 22:21:58
    SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008/06/12 21:49:40
    NETNT.DLL : 8.0.0.1 7937 Bytes 2008/01/25 21:05:10
    RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008/06/12 22:48:07
    RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008/06/27 22:34:37

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: C:,
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: Saturday, December 04, 2010 18:52

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'MEMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'NkbMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
    Scan process 'MMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
    Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
    Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned
    Scan process 'hpgs2wnf.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'dlcxcoms.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'hpgs2wnd.exe' - '1' Module(s) have been scanned
    Scan process 'ACService.exe' - '1' Module(s) have been scanned
    Scan process 'cssurf.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
    Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
    Scan process 'CalCheck.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    43 processes with 43 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '60' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\_OTM\MovedFiles\12032010_221133\C_TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta
    [DETECTION] Is the TR/Agent.8704.76 Trojan
    [NOTE] The file was moved to '4d660ead.qua'!
    C:\_OTM\MovedFiles\12032010_221133\C_TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta
    [DETECTION] Is the TR/Alureon.12288.X Trojan
    [NOTE] The file was moved to '4d660eb0.qua'!


    End of the scan: Saturday, December 04, 2010 19:59
    Used time: 1:08:03 Hour(s)

    The scan has been done completely.

    15079 Scanning directories
    402526 Files were scanned
    2 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    2 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    402523 Files not concerned
    1954 Archives were scanned
    1 Warnings
    2 Notes
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Avira Alerts probably had to do with something undesirable of the site you searched on. Perhaps in looking for something rare, you didn't have a good selections of search sites.

    And the Avira scan only showed entries that have been handled already- nothing new. Unfortunately, the AV authors don't write 'location' into their programs so even if it's not active, it shows. The TDSSKiller entries were found and quarantined and the files were move in OTMoveIt. No longer active, but both showing in Avira.

    Do you realize that you have 6 digital imaging programs running?
    Kodak EasyShare
    Nikon PictureProject
    Hewlett-Packard\HP Share-to-Web
    ArcSoft
    PhotoExplosionCalCheck
    OLYMPUS Master

    Two of these programs, EasyShare and Nikon are set to Global startup. That means that no matter who used the computer, what account is used, that the programs will start. Even if you use these in your side business, you can't use them all at the same time- so why have them running?
    And they're from different manufacturers. I would recommend removing them all from the startup menu and using All Programs to launch the one you want at that time. It's a big waste of resources to have these all start on boot and run in the background.

    They add up to a total of 15 entries! What do you suppose you could do with all those freed-up resources?!

    Let me know about this. If you would like to take any of the 6 off of Startup, do that and then I add those entries to the processes for you to check in the HijackThis log.
     
  20. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Woh! Thanks for the info.
    You're the expert, so whatever you think is best I'll go with that.
    Now:
    Olympus was an old camera, so I just deleted it.
    Nikon?? My girlfriend had a Nikon with a lost USB cord, so I put her memory card in my Kodak camera to put her pictures on my PC and all pics were transferred back to her PC. If my PC doesn't need it then let's remove it completely.

    For my pictures: All I want to keep is PhotoExplosion and the Kodak program. I have a few hundred pics in Olympus 2, but I think all of those are in My Pictures program. As long as I know for sure all of those pics are transferred to my PC then I can remove Olympus 2 from my PC completely.

    ArcSoft....dont' even know what that is. If I don't need it(?) then let's delete it off my PC.
    I have an HP scanner, but the share to web? If my PC doesn't need then let's remove completely from my PC.

    Q. what is Xiph.org? It's in All Programs.

    thanks,
    steveow
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you're not using the program, it should be uninstalled. That does not mean you have to delete any of the pictures. When you transfer pictures from the camera, the Hardware Wizard will open for the camera and you allow the computer to accept it. Be sure the PlugNPlay Service is set to Automatic Startup. But any image folders won't be affected. If you have old images still on the system, you can delete what you want yourself.

    Following the processes for you to check in HJT, please refer to Startup Cleanup to finish. Please print it out to make it easier to follow.

    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (See Note 1)
    C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (See Note 2)
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (See Note 3)
    O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O20 - Winlogon Notify: !SASWinLogon - Invalid registry found (Note 2)
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    (Note 1)

    Close all Windows except HijackThis ans click on "Fix Checked."
    ============================================
    Descriptions:
    Note 1:The ACDaemon is automatically started when the ArcSoft Connect application is started. This program is a non-essential system process. Removing it from startup can significantly increase your computer’s performance and reliability.

    Note 2: I'm having you remove Superantispyware because it has bad Registry entry. You can download the free version again HERE, but know that SUPERAntiSpyware Free Edition does not include real-time blocking or scheduled scanning.

    Note 3: "HP's exclusive Share-to-Web software makes it easy to share content with others through our affiliate Internet websites." In other words an application that allows users to upload scanned images to their personal webpages if desired. Available via Start -> Programs
    =================================
    Startup Cleanup
    NOTE: I'm using NAME of PROGRAM as an example below because I wanted to give you the path for a related Service.. But the same path and process can be used for any program. I wanted you to understand where to look and what to do.

    • [1].Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      [2]. Take off Startup: All of the image related processes, all Askbar/Ask.com entries
    • Start> Run> type in msconfig>enter> Selective Startup> Startup menu>
    • Uncheck any process you don't want to start on boot>
    • When finished with all the unchecking> click on Apply> OK
      (Example: you decide you don't need NAME of PROGRAM to start on boot: so you Uncheck NAME of Process

      [3]. Uninstall a program: Nikon, Olympus, ARCSoft, Askbar
    • Start> Settings> Control Panel> Add/Remove Programs> uninstall here> Close
      (But you don't want to uninstall the EasyShare so you leave it- you can start it as needed)

      [4]. Remove program folder (only if program is uninstalled (Nikon, Olympus, ARCSoft, Ask)>
    • Access Windows Explorer:[/B] Right click on Start> Explore:
    • Open My Computer> double click on Local Drive (C)> Programs
    • Find the folder for any program you uninstalled> do a right click> Delete on each folder.
    • Close Windows Explorer.

      [5]. Change Service Startup type
    • Start> Run> type in services.msc
    • Double click the Service> Change the Startup type as follows:
      [o]For a Service related to a program you will use as needed but does no start on boot> Manual ( if Kodak EasyShare or PhotoExplosion has a Service, set to Manual
      [o]For a Service related to a program you have uninstalled> Disable Startup type> stop Service (ArcSoft Connect Daemon)
    • Close Services.
    (Example:C:\Program Files NAME [/b] has a Service that will start it automatically, but you want to change that: so you find SERVICE name in the Services and double-click:Change Automatic to Manual)

    Reboot the computer back into Normal Mode: NOTE: the first time you reboot after using msconfig, you get a nag message that you can ignore and close after checking 'don show this message again.' Stay in Selective Startup.

    Summary:

    • [1]. Boot into Safe Mode first.
      [2]. Uncheck the process on the Start menu to stop the process from starting on boot.
      [3]. uninstall any program or app you don't need or use,
      [4]..Remove the program folder if you uninstalled the program.
      [5]. Change any associated Service to either Disabled or Manual Startup.

    This is not complicated! It's step by step, easy to follow.
    Let me know when you've finished and we'll clean up.
     
  22. steveow

    steveow TS Rookie Topic Starter Posts: 69

    OK, bobbye, it's done. However, some programs in Add/Romove would not remove while in safe mode. The ones that didn't I went to normal mode and then right back to safe mode.
    Now in safe mode Services.msc I accidentally single clicked on the manual/auto tab and everything went to auto. I then reclicked it hoping to get back to how it was, but no dice as it changed everything to manual. Not sure how, but the first 30 or 40 are in manual and then some are disabled and then the rest are auto. I don't know what to do there. Is it possible that they were restored to how they were when I got there but just in order of manual or auto?
    Most of those programs I don't even know what the heck they are.
    Now what?
     
  23. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Fri. 4:22pm. I just turned my computer on for the first time since last night and that dang $1000 Walmart Winner banner appeared again. And for some reason most of the spam garbage is entering my sbcglobal.net email.
    I will head over to the restricted sites and see if that works. I'm learning
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you didn't put these domains in the restricted Sites, please do it now.

    Where does the Walmart banner appear? When it does:
    • Click on Start> Run> type in taskmgr> OK.
    • Double click on the frame at the top of the Processes column to sort
    • Find hotfix.exe and click to Highlight >>> see if this appears
    • Click on End Task

    I need to know if Think Point is still on the system. I'd also like you to try and run the scans in Normal Mode. As you probably know, all the processes don't run in Safe Mode.

    What did you do of the instructions I gave you in my Reply #21? Did you reboot the computer after finishing it? 5 days ago, I listed entries in the HJT log to be checked. Did you do that? Then I followed with Startup Cleanup How much of this did you do- if any?

    I "assumed", that the Walmart banner stopped after you restricted the Domains, but now it sound like my assumption was wrong- it was only a 'coincidence', making the 'a out of you and me', as it tends to do!

    Please run the Eset scan again. It will require internet connection..

    If you still have Combofix on the desktop, I'd like you to rescan with it, after update: Follow this since you already have it:
    • .Close any open browsers.
    • . Double click combofix.exe & follow the prompts to run.
      [o]. If Combofix asks you to update the program, always allow.
    • Before you click on continuing to Scan: Disable the security.
    • Click on Scan
    • A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Regarding spam in the mail-
    Isn't sbcglobal.net email. web-based email? A web based email is only as good as the filters from the ISP.
     
  25. steveow

    steveow TS Rookie Topic Starter Posts: 69

    Thank you for your reply, Bobbye.
    I'm on a friends computer. Couldn't get back Sat as I had a boat parade to attend.

    Everything was done up to #5. During that process is when it didn't go as planned. I accidentally clicked the column that turned everything into auto. I then clicked it again hoping to get a return to what it was but of course it wouldn't. The first app. 30 or so said auto and the next app. 10 or 15 said manual and then a few disabled. When I went back to normal mode there was a message that appeared with an apostrophe, a period, a bold dot and another apostrophe. The message said it could not run that set of marks "specified in the registry" I'd X it out and it would come back again.

    Normal mode gets the desktop background picture and that's it. Safe mode is very very slow and very little opens.
    Now what?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.