Solved Cannot remove "Rootkit.Agent"

[jfringer]

Hello,
I've tried following other postings to remove this virus, but it keeps showing up in Malwarebytes. Last week my computer got infected with "AV Security Suite". I removed that with Malwarebytes. Then I removed a Google redirect virus by following directions for using ComboFix from another posting. Please help. I followed the 8 steps yesterday. I hope you don't mind that I've attached my files. (I'm using Avira Antivir Premium and SuperAntispyware Pro.)

Thanks very much,
John

 

[Broni]

Our instructions clearly say not to run Combofix on your own!

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[jfringer]

Here you go:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7A52000 \WINDOWS\system32\KDCOM.DLL
0xF7962000 \WINDOWS\system32\BOOTVID.dll
0xF7552000 ayguwgiw.sys
0xF7423000 ACPI.sys
0xF7A54000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7412000 pci.sys
0xF7562000 isapnp.sys
0xF733F000 slvqka.sys
0xF7B1A000 pciide.sys
0xF77D2000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7572000 MountMgr.sys
0xF7320000 ftdisk.sys
0xF7A56000 dmload.sys
0xF72FA000 dmio.sys
0xF77DA000 PartMgr.sys
0xF7582000 VolSnap.sys
0xF72E2000 atapi.sys
0xF7212000 iastor.sys
0xF7592000 disk.sys
0xF75A2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF71F2000 fltmgr.sys
0xF71E0000 sr.sys
0xF7A58000 DLACDBHM.SYS
0xF71C9000 DRVMCDB.SYS
0xF71B2000 KSecDD.sys
0xF7125000 Ntfs.sys
0xF70F8000 NDIS.sys
0xF70DE000 Mup.sys
0xF76C2000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF5D50000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF5D3C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5D14000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5CE7000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF78A2000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5CC3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78AA000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76D2000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF5CA0000 \SystemRoot\system32\DRIVERS\ks.sys
0xF5B79000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF5AE4000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF78E2000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF78B2000 \SystemRoot\System32\Drivers\Modem.SYS
0xF78BA000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF76E2000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76F2000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7702000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7C40000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7712000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6FD5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5ACD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7722000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7732000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78C2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5ABC000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7742000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78CA000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78D2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5A8C000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7752000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78DA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF78EA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A90000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5A2E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A46000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7A92000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xF70AA000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7772000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF39B9000 \SystemRoot\system32\drivers\sthda.sys
0xF3995000 \SystemRoot\system32\drivers\portcls.sys
0xF75C2000 \SystemRoot\system32\drivers\drmk.sys
0xF2D9E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AC4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF782A000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF6FE9000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF2D8E000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF7AC6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C2E000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AC8000 \SystemRoot\System32\Drivers\Beep.SYS
0xF783A000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xF7842000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF784A000 \SystemRoot\System32\drivers\vga.sys
0xF7ACC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7ACE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7852000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF785A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF5A26000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF0FAE000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF0F55000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF0F05000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF0EDF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF5A16000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF0EBD000 \SystemRoot\System32\drivers\afd.sys
0xF2D4E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF2D3E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7862000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xF0E9B000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF786A000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF0E20000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF0DB0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF2D1E000 \SystemRoot\System32\Drivers\Fips.SYS
0xF5EDD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF17F1000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF08A0000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xF088C000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0xF086A000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7AD6000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF0F4D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF0F41000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB2783000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB3F20000 \SystemRoot\System32\drivers\Dxapi.sys
0xB43FB000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF0C3A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF093000 \SystemRoot\System32\atikvmag.dll
0xBF0C9000 \SystemRoot\System32\ati3duag.dll
0xBF34D000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAF24A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF7642000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xEB780000 \SystemRoot\System32\Drivers\DLADResM.SYS
0xAF231000 \SystemRoot\System32\Drivers\DLAIFS_M.SYS
0xEB076000 \SystemRoot\System32\Drivers\DLAOPIOM.SYS
0xB626C000 \SystemRoot\System32\Drivers\DLAPoolM.SYS
0xF0E5B000 \SystemRoot\System32\Drivers\DLABMFSM.SYS
0xF0E4B000 \SystemRoot\System32\Drivers\DLABOIOM.SYS
0xAF21B000 \SystemRoot\System32\Drivers\DLAUDFAM.SYS
0xAF204000 \SystemRoot\System32\Drivers\DLAUDF_M.SYS
0xB58D5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAF0FB000 \SystemRoot\System32\Drivers\HTTP.sys
0xAEE44000 \SystemRoot\system32\DRIVERS\srv.sys
0xAE9A7000 \SystemRoot\system32\drivers\wdmaud.sys
0xAED8C000 \SystemRoot\system32\drivers\sysaudio.sys
0xAE452000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xADAF0000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 55):
0 System Idle Process
4 System
988 C:\WINDOWS\system32\smss.exe
1108 csrss.exe
1168 C:\WINDOWS\system32\winlogon.exe
1244 C:\WINDOWS\system32\services.exe
1256 C:\WINDOWS\system32\lsass.exe
1476 C:\WINDOWS\system32\ati2evxx.exe
1492 C:\WINDOWS\system32\svchost.exe
1584 svchost.exe
1684 C:\WINDOWS\system32\svchost.exe
1776 svchost.exe
340 C:\WINDOWS\system32\brsvc01a.exe
380 C:\WINDOWS\system32\spoolsv.exe
408 C:\WINDOWS\system32\brss01a.exe
488 C:\Program Files\Avira\AntiVir Desktop\sched.exe
860 C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
900 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
920 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
960 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
1072 C:\Program Files\Bonjour\mDNSResponder.exe
1076 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1116 C:\WINDOWS\system32\Brmfrmps.exe
1112 C:\WINDOWS\ehome\ehrecvr.exe
1192 C:\WINDOWS\ehome\ehSched.exe
1904 C:\WINDOWS\system32\svchost.exe
212 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
540 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
612 C:\Program Files\IObit\IObit Security 360\is360srv.exe
816 C:\Program Files\Java\jre6\bin\jqs.exe
832 C:\Program Files\Citrix\ICA Client\ssonsvr.exe
1040 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
1404 C:\Program Files\Common Files\Motive\McciCMService.exe
2200 C:\WINDOWS\system32\IoctlSvc.exe
2240 svchost.exe
2344 C:\WINDOWS\system32\searchindexer.exe
2596 mcrdsvc.exe
3280 C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
3728 C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
4028 C:\WINDOWS\system32\dllhost.exe
4060 C:\WINDOWS\explorer.exe
2616 alg.exe
3348 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3372 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3636 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2680 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
3916 C:\WINDOWS\system32\ctfmon.exe
1728 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
2032 C:\Program Files\Internet Explorer\iexplore.exe
3144 C:\Program Files\Internet Explorer\iexplore.exe
2088 C:\WINDOWS\system32\svchost.exe
564 C:\WINDOWS\system32\searchprotocolhost.exe
708 C:\WINDOWS\system32\searchprotocolhost.exe
4004 searchfilterhost.exe
736 C:\Documents and Settings\John Fringer\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: ST3160828AS, Rev: 8.03

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


Done!

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[jfringer]

"C:\ComboFix.txt" is attached.

(file was too big to paste here.)

 

[Broni]

Please, uninstall Frontline Registry Cleaner and SpeedingUpMyPC
Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

===========================================================================

Uninstall Ask.com, known adware.

==========================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\Qwihamu.bin
c:\windows\Jdaganugazixo.dat
c:\windows\system32\drivers\slvqka.sys
c:\windows\system32\4020E6CF02.sys


Folder::
c:\documents and settings\John Fringer\Local Settings\Application Data\ppouedcto
c:\documents and settings\John Fringer\Local Settings\Application Data\upxueubln


DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\slvqka]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[jfringer]

Looks like that did it!

Am I right? Just ran a Malwarebytes Quick Scan and no detections! mbam-log and ComboFix.txt attached. Thank you, thank you!

 

[Broni]

You didn't follow:

Please, uninstall Frontline Registry Cleaner and SpeedingUpMyPC

You didn't follow:

Uninstall Ask.com, known adware.

Post back, when done with the above, along with an information on current computer behavior.

 

[jfringer]

Sorry, I didn't see the Uninstall Ask.com. That's the Ask Toolbar, isn't it? (I'm removing it in "Add/Remove Programs".) But I did uninstall SpeedingUpMyPC, but could not find Frontline Registry Cleaner.

 

[jfringer]

Broni,
Computer seems to be running OK. When Windows boots, is it normal to have a black screen flash on startup with "Please select Operating System to start..." and the message, "RPCSS is starting"? I didn't get these before I had these virus/malware problems.
Thanks,
John

 

[Broni]

is it normal to have a black screen flash on startup with "Please select Operating System to start..."

Yes. Combofix installed Recovery Console, very important troubleshooting tool in case of Windows XP.

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[jfringer]

OTL.txt and Extras.txt

Broni,
Files attached. (Text is too long to paste here.)

 

[Broni]

We need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

====================================================================

You have some Norton's leftovers.
Please, run Norton Removal Tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
  O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
  O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
  O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Value error. File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (Reg Error: Value error.)
  O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Value error.)
  O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
  [2010/09/23 20:41:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John Fringer\Local Settings\Application Data\AskToolbar
  [2010/09/17 10:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FrontLine Registry Cleaner
  [2010/09/17 10:32:27 | 000,000,000 | ---D | C] -- C:\Program Files\Frontline Registry Cleaner
  [2010/09/13 10:33:17 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedingUpMyPC
  [2008/12/21 15:05:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
  [2009/01/02 19:50:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
  [2007/02/11 21:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  [2008/12/12 22:25:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John Fringer\Application Data\RegClean
  [2009/11/27 17:26:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John Fringer\Application Data\Registry Mechanic
  [2010/09/13 10:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John Fringer\Application Data\Uniblue
  [2007/02/11 21:37:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John Fringer\Application Data\Viewpoint
  @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
  @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C39E55C5
  @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files\Ask.com
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[jfringer]

OTL log as instructed

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Starting removal of ActiveX control {1F2F4C9E-6F09-47BC-970D-3C54734667FE}
C:\WINDOWS\Downloaded Program Files\LSSupCtl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
C:\Documents and Settings\John Fringer\Local Settings\Application Data\AskToolbar folder moved successfully.
C:\Documents and Settings\All Users\Application Data\FrontLine Registry Cleaner folder moved successfully.
C:\Program Files\Frontline Registry Cleaner\RegistryDefrag\Backup folder moved successfully.
C:\Program Files\Frontline Registry Cleaner\RegistryDefrag folder moved successfully.
C:\Program Files\Frontline Registry Cleaner folder moved successfully.
C:\Program Files\SpeedingUpMyPC folder moved successfully.
C:\Documents and Settings\All Users\Application Data\SITEguard folder moved successfully.
C:\Documents and Settings\All Users\Application Data\STOPzilla!\Quarantine folder moved successfully.
C:\Documents and Settings\All Users\Application Data\STOPzilla! folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome\BH00 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\RegClean\Registry Backups folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\RegClean\Log folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\RegClean folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Registry Mechanic folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Uniblue\RegistryBooster\_temp folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Uniblue\RegistryBooster\history folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Uniblue\RegistryBooster\backup folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Uniblue\RegistryBooster folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Uniblue folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
C:\Documents and Settings\John Fringer\Application Data\Viewpoint folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C39E55C5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\Ask.com folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: John Fringer
->Temp folder emptied: 19160964 bytes
->Temporary Internet Files folder emptied: 22649465 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 767 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NRC Citrix
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NRC Citrix 2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NRC Citrix.D3BJHC91
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16639 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 156329 bytes

Total Files Cleaned = 40.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: John Fringer
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: NRC Citrix
->Flash cache emptied: 0 bytes

User: NRC Citrix 2
->Flash cache emptied: 0 bytes

User: NRC Citrix.D3BJHC91
->Flash cache emptied: 0 bytes

User: Owner

User: TEMP

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 09232010_221323

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\usgthrsvc\Perflib_Perfdata_9f4.dat not found!

Registry entries deleted on Reboot...

 

[Broni]

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[jfringer]

previous was Run Fix log.

Quick Scan log attached.

 

[Broni]

Good

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMOPRTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[jfringer]

checkup.txt & ESETScan.txt files attached

I'm still infected, I see.

 

[Broni]

No biggies here...
Two files are in Combofix quarantine folder, which is going to be removed in a moment.
Another one is in system restore, which will be also reset in our next step.

Now, there is one malicious file in your Outlook Express Inbox folder.
I don't want to remove a whole folder, so make sure, you scan every single attachment before handling it.

Then, this:
C:\Documents and Settings\John Fringer\Desktop\Nero-7.10.1.0_eng_update.exe
If you have legit Nero installation...

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Documents and Settings\John Fringer\Desktop\Nero-7.10.1.0_eng_update.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[jfringer]

File too big (177.7 MB) to upload

I got this error message: "Maximum size exceeded: you have tried to upload a file which is larger than 20MB". Also, I deleted "Outlook Express" using "Add/Remove Windows Components" in Control Panel since I use Outlook.

I just did an Avira virus scan and attached the log. Is it normal to keep getting these virus detections?

 

[Broni]

I didn't ask for Avira scan....

Is it normal to keep getting these virus detections?

It's all about your computer habits. I'll post some advice later on.

Regarding Nero...
Is your Nero legit?
Where was that update downloaded from?

 

[jfringer]

Broni,
I'm not sure if my Nero installation is legit; I got it cheap ($5) from eBay in July 2007: "Nero 7 Premium Reloaded edit photography digital camera". Do you think I should uninstall and get another version?
Thanks,
John

 

[Broni]

You still didn't answer my other question.
Where did you get this update from:
C:\Documents and Settings\John Fringer\Desktop\Nero-7.10.1.0_eng_update.exe?

Do you really need Nero?
What do you use it for?

 

[jfringer]

I found the 7/16/07 instructions for downloading it:
"Nero 7 Premium Serial Number
=======================================

Your product can be downloaded at the Nero homepage.

Goto the Nero Homepage

http://www.nero.com/nero7/eng/nero7-up.php

If you have any problems please email me for support.

Fully install and run the trial version first.

Then install a key to activate Nero 7 Premium.

Serial:
1C80-0000-19E5-MA2X-4009-7788-2318

1C80-0000-19E5-MA2X-4001-2365-6441

1C80-0000-19E5-MA2X-4002-2679-1159

1C80-0000-19E5-MA2X-4008-8597-8255


1. Click on the Nero StartSmart icon to run StartSmart.
2. Click on the fire icon on the right bottom corner to go into Product Setup.
3. Click on license then click on the add tab. Enter key.

We strongly recommend that you burn the downloaded trial version
installer on a CD and your Nero 7 Premium serial number on it. That way,
you will always have a backup.

To download user manuals for Nero 7 Premium and its components:
http://www.nero.com/link.php?topic_id=7070

For returns or exchanges please email me."

----Steven Simms [stevensimms611@yahoo.com]

 

[jfringer]

I use Nero for copying/recording CDs. I got it because the program that came with my computer wasn't working.