Solved Problems with 8-step removal

[cjk1]

Hi,
I'm in the process of trying to complete the 8 steps for malware removal, but am having problems with the TFC step. Every time I try it, the program becomes unresponsive and my computer freezes. Is there an alternative program I can use for this step? Thanks for the help!

 

[Bobbye]

Try doing a Disc Cleanup from within the operating system. TFC shouldn't cause what you describe- it's to clean temporary internet files.

 

[cjk1]

Thanks. Now, I am unable to open the microsoft update page. I am repeatedly told that there is a connection problem or that the connection has been reset, but have not problems going to other sites.

 

[Bobbye]

There are frequent complaints about not being able to access the update site- with OR without malware! Try again at a different time.


If this is stopping you from doing the scans, skip it for now and go on.

 

[cjk1]

Thanks again. I skipped the windows updater and I'm attaching the logs.

 

[cjk1]

For some reason cannot attach dds.txt. Here is the first part.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:27:44.53 on Tue 06/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.245 [GMT -5:00]

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\windows\system32\ctfmon.exe
svchost.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wscntfy.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

 

[cjk1]

Sorry, i think the pasting was a dumb idea on my part. will try to attach again later, unless you have another suggestion.

 

[Bobbye]

Attaching is fine for these logs.

 

[cjk1]

Ok, here is the dds log. It would not attach after multiple attempts until I removed these lines:

Trusted Zone: microsoft.com\upd ate
Trusted Zone: microsoft.com\windows update

Not sure if it is just a weird fluke or what. Thanks so much!

(added spaces in the log lines because I also could not post them to forum without a connection reset.)

 

[Bobbye]

The system is badly infected. Malwarebytes has removed a lot of file, but there will be more. You have numerous rogue programs running- I can't tell whether you installed some hoping to clean the system or whether your security is so bad they all accessed the system!

To begin: Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I'll be setting up some script to remove some entries, but I'll give Combofix the chance to remove some.
Please leave the Combofix report and Eset log in your next reply.

I suggest that you do not act on any security warning you may receive at this point, unless it's something from your antivirus program. the rogue programs put out alerts of infections and want you to click to download and remove the,. Don't!

 

[Bobbye]

Question: Are you an employee at Best Buy and do you have an Intranet set up there?

 

[cjk1]

No, not a Best Buy employee. Lots of the software, including anti-virus stuff, was installed there.

 

[Bobbye]

So maybe you bought the computer there and they set it up for you?
Or did either Best Buy or the Geek Squad give you remote help?

There are several entries for different file transfer protocols and ports and the IP is for Best Buy in Minnesota.. If you were given help in some way to load software programs on the system, I don't know of any reasons for the entries to stay.

 

[cjk1]

Yes, no reason to keep any best buy stuff. I'm attaching the combo-fix log. Here is the eset log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d6b8bee67dba0648ad3d1331785b1f73
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=false
# utc_time=2010-06-03 12:58:47
# local_time=2010-06-02 07:58:47 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=514 16776549 100 97 0 111204079 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=65471
# found=1
# cleaned=0
# scan_time=4139
C:\Qoobox\Quarantine\C\windows\uwuvabuyud.dll.vir a variant of Win32/Cimag.CM trojan

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\Qlapohecewew.dat
c:\windows\Wjayadeh.bin
c:\program files\AntiSpywareExpert\ase.exe

Folder::
c:\documents and settings\Owner\Application Data\EMCO

Rootkit::

DDS::
BHO: {31d7d4a5-9967-4eef-8c97-b0dc673a2b76} - c:\windows\system32\nnnnKdef.dll
uRun: [VirusIsolator.exe] c:\program files\virusisolator\VirusIsolator.exe
uRun: [<NO NAME>] 
mRun: [<NO NAME>] 
mRun: [SBI] c:\documents and settings\owner\local settings\temporary internet files\content.ie5\8e31xade\install_sbd_en[1].exe
mRun: [SystemDefender] "c:\program files\systemdefender\SystemDefender.exe" hide
mRun: [AdvancedCleaner Free] "c:\program files\advancedcleaner free\UADC.exe" /min
uPolicies-explorer: ForceActiveDesktopOn = 30
uPolicies-system: DisableTaskMgr = 30
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

Extra::
File::
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
Firefox::
Firefox-: Profile- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kj7k2wnr.default\
Firefox-: prefs.js - network.proxy.ftp - 168.94.74.68
Firefox-: prefs.js - network.proxy.ftp_port - 8080
Firefox-: prefs.js - network.proxy.gopher - 168.94.74.68
Firefox-: prefs.js - network.proxy.gopher_port - 8080
Firefox-: prefs.js - network.proxy.http - 168.94.74.68
Firefox-: prefs.js - network.proxy.http_port - 8080
Firefox-: prefs.js - network.proxy.socks - 168.94.74.68
Firefox-: prefs.js - network.proxy.socks_port - 8080
Firefox-: prefs.js - network.proxy.ssl - 168.94.74.68
Firefox-: prefs.js - network.proxy.ssl_port - 8080
Firefox-: prefs.js - network.proxy.type - 4

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
===================

 

[cjk1]

I've been allowing the installation for the recovery console, but an error message comes up every time. Thanks again!

 

[cjk1]

My anti-virus protection is expiring tomorrow. Do you recommend that I renew, or is there something better I should be using? Thanks!

 

[Bobbye]

My anti-virus protection is expiring tomorrow. Do you recommend that I renew, or is there something better I should be using? Thanks!

It doesn't matter whether you renew or get a new antivirus program. Don't access the internet without this protection. Why have you run this so late?.

Either renew Trend Micro [n]now[/b] or put the following on: Judging by the number of malware infections you had, you need to increase your security:

All free, all good, all recommended: (choose only one AV and one firewall, 2 or more antispyware)

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Security is the one area you can't afford to skimp on!

You didn't tell me what the error message was when you tried to install the recovery console. I suspect it may have said you didn't have an internet connection. If that was it, when I have you run Combofix again, don't disconnect from the internet before you do this step.

Get the AV settled- I'll come back and check the Combofix report.

 

[cjk1]

Sorry, I can't remember the exact error message. It did not say anything about the internet connection, instead something about boot enumeration. I will write it down if it pops up again. Anti-virus is taken care of now. This is not my computer (trying to help my parents), so I did not realize the subscription was almost up.

 

[Bobbye]

The Best Buy proxy entries remain. I might see them in a HijackThis log. So I'll have you run that and Malwarebytes again because of all the infections:

You can just update Mbam and scan again. Save and leave the log.

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

If I don't see them or can't remove them, I'll have you block the site. they need to be removed.

 

[cjk1]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:09:04 AM, on 6/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\windows\system32\ctfmon.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\windows\system32\msiexec.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\windows\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: tisspwiz.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1210977935525
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {934CEFDC-E880-446F-880F-6560F613D8AA} (FCliVer Class) - http://www.conpia.com/cab/fclient/fclient(v1.2.28.0).cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/babel/zylomplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8880 bytes

 

[Bobbye]

Sorry- somehow I missed you! I want to to search for a file/folder. It would likely be hidden. But I moved it once and Mbam found another entry. It's one of the many rogue spyware programs that were on the system:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to the Control Panel> Add/Remove Programs> uninstall VirusIsolator

Access Windows Explorer: Windows key + E: (while still in Safe Mode)
Show Hidden Folders/Files

• Open My Computer.
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Scroll down to Hidden files and folders.
  [*] Select Show hidden files and folders.
  [*] Uncheck (untick) Hide extensions of known file types.
  [*] Uncheck (untick) Hide protected operating system files (Recommended).
  [*] Click Yes when prompted.
  [*] Click OK.

Double click in the Local Drive (C)> Programs:
See if there is a folder for VirusIsolator. IF there is do a right click on it> then Delete.
Close Windows Explorer and reboot into Normal Mode.

Let me know if you found this either place.

 

[cjk1]

I did not find VirusIsolator in either place. Hopefully this is good news?

 

[Bobbye]

Please update and run one more Mbam scan. I don't usually repeat this, but since there were so many rogues and Mbam found one again, I want to make sure it's gone.

The do the online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If these are clean, I'll have you remove the cleaning tools.

 

[cjk1]

Here is the ESET log: