Solved Trojan:DOS Alureon.A Found Windows xp 32bit

[Josh RawR]

A couple days ago I picked up this virus been trying to figure out what to do and got directed here for help please let me know if I did something wrong with this initial post
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.11.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: RAWR [administrator]

Protection: Enabled

3/12/2013 12:34:16 PM
MBAM-log-2013-03-12 (15-21-30).txt

Scan type: Full scan (C:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 450638
Time elapsed: 2 hour(s), 46 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> No action taken.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Josh\Local Settings\Temp\1E4.tmp (Trojan.FakeMS) -> No action taken.
C:\WINDOWS\Temp\1E5.tmp (Rootkit.0Access) -> No action taken.

(end)

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

ComboFix scan

Please download ComboFix

by sUBs
From TechSpot

Direct Link (alternative)

Please save the file to your Desktop.

Important information about ComboFix


After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on ComboFix.exe & follow the prompts.
• When ComboFix finishes, it will produce a report for you.
• Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

[Josh RawR]

I couldn't turn off Malwarebytes Anti-Malware the first time I tried to run combo with it off it froze my computernot sure if this is a problem but just in case might as well let you know

ComboFix 13-03-12.02 - Josh 03/13/2013 10:16:12.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3575.2887 [GMT -6:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Josh\Local Settings\Application Data\assembly\tmp
c:\windows\EventSystem.log
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SET28.tmp
c:\windows\system32\SET86.tmp
c:\windows\system32\Thumbs.db
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2013-02-13 to 2013-03-13 )))))))))))))))))))))))))))))))
.
.
2013-03-12 18:45 . 2013-02-08 00:45 6954968 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EADC26B-7484-4B60-9CCE-682C604B2805}\mpengine.dll
2013-03-11 10:03 . 2013-03-11 10:03 -------- d-----w- c:\documents and settings\Josh\Application Data\Malwarebytes
2013-03-11 10:03 . 2013-03-11 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-03-11 10:03 . 2013-03-11 10:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-11 10:03 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-11 09:43 . 2013-02-08 00:45 6954968 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-10 09:55 . 2013-03-10 14:34 -------- d-----w- c:\windows\Microsoft Antimalware
2013-03-10 03:38 . 2013-03-10 03:38 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2011-06-19 03:50 232336 ------w- c:\windows\system32\MpSigStub.exe
2012-12-30 07:05 . 2009-08-18 18:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2012-12-30 07:05 . 2009-08-18 18:24 19696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-12-27 02:03 . 2012-07-21 19:46 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2012-12-27 02:03 . 2012-07-21 19:46 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2012-10-21 20:16 . 2011-07-28 02:27 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackgroundSwitcher"="e:\progams\New Folder\John's Background Switcher\BackgroundSwitcher.exe" [2011-06-02 119104]
"Mousotron"="e:\progams\Mousotron\Mousotron.exe" [2011-11-08 492032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"RTHDCPL"="RTHDCPL.EXE" [2010-01-29 18790432]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2011-04-20 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-6-17 813584]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2012-08-29 18:03 1996200 ----a-w- e:\progams\Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Hamachi2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"e:\\Progams\\Ustream\\rsrc\\Desktop Presenter.exe"=
"e:\\Games\\Steam\\steamapps\\common\\fable 3\\FableLauncher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\darkspore\\DarksporeBin\\Darkspore.exe"=
"e:\\Games\\Steam\\steamapps\\common\\darkspore\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"e:\\Games\\Steam\\Steam.exe"=
"e:\\Games\\Steam\\steamapps\\common\\amnesia the dark descent\\Launcher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\vampire the masquerade - bloodlines\\vampire.exe"=
"e:\\Games\\Steam\\steamapps\\common\\the witcher 2\\Launcher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\dungeon defenders\\Binaries\\Win32\\DunDefGame.exe"=
"e:\\Games\\Steam\\steamapps\\common\\stalker call of pripyat\\Stalker-COP.exe"=
"e:\\Games\\Steam\\steamapps\\common\\STALKER Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"e:\\Games\\Steam\\steamapps\\common\\recettear\\recettear.exe"=
"e:\\Games\\Steam\\steamapps\\common\\recettear\\custom.exe"=
"e:\\Games\\Steam\\steamapps\\common\\sanctum\\Binaries\\Win32\\SanctumGame-Win32-Shipping.exe"=
"c:\\Program Files\\Diablo III\\Diablo III.exe"=
"e:\\Games\\Steam\\steamapps\\common\\payday the heist\\payday_win32_release.exe"=
"e:\\Games\\Steam\\steamapps\\common\\dungeon defenders\\Binaries\\Win32\\DungeonDefenders.exe"=
"e:\\Games\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\pineapple smash crew\\PineappleSmashCrew.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"e:\\Games\\Steam\\steamapps\\common\\TheBaconing\\TheBaconing.exe"=
"e:\\Games\\Steam\\steamapps\\common\\lone survivor\\LoneSurvivor\\LoneSurvivor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\edge\\edge.exe"=
"e:\\Games\\Steam\\steamapps\\common\\the binding of isaac\\Isaac.exe"=
"e:\\Games\\Steam\\steamapps\\common\\bit.trip beat\\beat.exe"=
"e:\\Games\\Steam\\steamapps\\common\\chantelise\\chantelise.exe"=
"e:\\Games\\Steam\\steamapps\\common\\chantelise\\custom.exe"=
"e:\\Games\\Steam\\steamapps\\common\\bit.trip runner\\runner.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Splinter Cell\\system\\splintercell.exe"=
"e:\\Games\\Steam\\steamapps\\common\\insanely twisted shadow planet\\FCEngine-GFWL.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Tom Clancy's Splinter Cell Conviction\\src\\system\\conviction_game.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Splintercell Chaos Theory\\System\\splintercell3.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Splinter Cell - Double Agent\\SCDALauncher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"e:\\Games\\Steam\\steamapps\\common\\ys the oath in felghana\\ysf_win_dx9.exe"=
"e:\\Games\\Steam\\steamapps\\common\\ys the oath in felghana\\config_dx9.exe"=
"e:\\Games\\Steam\\steamapps\\common\\ys the oath in felghana\\ysf_win.exe"=
"e:\\Games\\Steam\\steamapps\\common\\ys the oath in felghana\\config.exe"=
"e:\\Games\\Steam\\steamapps\\common\\dead island\\DeadIslandGame.exe"=
"e:\\Progams\\Hamachi\\hamachi-2-ui.exe"=
"c:\\Program Files\\KudosChatSearchAgent\\KudosChatSearchAgent.exe"=
"e:\\Games\\StarCraft II\\StarCraft II.exe"=
"e:\\Games\\StarCraft II\\StarCraft II Public Test.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Borderlands 2\\Binaries\\Win32\\Borderlands2.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Shatter\\Shatter.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Shatter\\ShatterSettingsEditor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\space pirates and zombies\\SpazGame.exe"=
"e:\\Games\\Steam\\steamapps\\common\\vessel\\Vessel.exe"=
"e:\\Games\\Steam\\steamapps\\common\\torchlight\\TorchED\\Editor.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1363\\Agent.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Dustforce\\dustforce.exe"=
"e:\\Games\\Steam\\steamapps\\common\\dungeons of dredmor\\Dungeons of Dredmor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\skyrim\\SkyrimLauncher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Prototype\\prototypef.exe"=
"e:\\Games\\Steam\\steamapps\\common\\L.A.Noire\\LANLauncher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1544\\Agent.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Titan Quest\\Titan Quest.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Wizorb\\Wizorb.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Dawn of War Gold\\W40k.exe"=
"e:\\Games\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"e:\\Games\\Steam\\steamapps\\common\\red faction armageddon\\rf4_launcher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\saints row the third\\game_launcher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\prototype 2\\prototype2.exe"=
"e:\\Games\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Dark Souls Prepare to Die Edition\\DATA\\DARKSOULS.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Dark Souls Prepare to Die Edition\\DATA\\DATA.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Torchlight II\\Torchlight2.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Borderlands 2\\Binaries\\Win32\\Launcher.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Jamestown\\Jamestown.exe"=
"e:\\Games\\Steam\\steamapps\\common\\basement\\The Basement Collection.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Games\\Steam\\steamapps\\common\\rage\\Rage.exe"=
"e:\\Games\\Steam\\steamapps\\common\\rage\\Rage64.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Legend of Grimrock\\grimrock.exe"=
"e:\\Games\\Steam\\steamapps\\common\\ys origin\\yso_win.exe"=
"e:\\Games\\Steam\\steamapps\\common\\ys origin\\config.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Rochard\\Rochard.exe"=
"e:\\Games\\Steam\\steamapps\\common\\The Walking Dead\\WalkingDead101.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Scribblenauts\\Scribble.exe"=
"e:\\Games\\Steam\\steamapps\\common\\Gratuitous Space Battles\\GSB.exe"=
"e:\\Games\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58111:TCP"= 58111:TCPando Media Booster
"58111:UDP"= 58111:UDPando Media Booster
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2/3/2011 11:36 AM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2/3/2011 11:36 AM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2/3/2011 11:36 AM 13616]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [10/16/2009 10:42 AM 319488]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/17/2011 5:12 PM 10384]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [3/11/2013 4:03 AM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2013 4:03 AM 682344]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [8/9/2012 5:29 PM 14976]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [1/31/2013 11:38 AM 3289208]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 10:55 AM 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [6/17/2009 10:55 AM 10384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 4:06 AM 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2013 4:03 AM 21104]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe --> c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [?]
S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [6/17/2011 10:49 AM 272864]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/17/2011 7:09 PM 1691480]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [6/17/2011 10:50 AM 642432]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/4/2011 7:12 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 htcusbnet;HTC USB-NDIS miniport;c:\windows\system32\drivers\htcusbnet.sys [10/4/2011 6:48 PM 128512]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [12/30/2012 12:29 AM 33792]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [1/2/2013 4:51 AM 95304]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [10/5/2011 3:58 PM 13312]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/28/2012 6:22 PM 27064]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [12/30/2011 3:37 AM 27904]
S4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;e:\progams\Hamachi\hamachi-2.exe -s --> e:\progams\Hamachi\hamachi-2.exe -s [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC88681F-4735-4f2f-9514-C21BAC737CF8}]
2011-04-20 07:30 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-682003330-1003Core.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-17 03:55]
.
2013-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-682003330-1003UA.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-17 03:55]
.
2013-03-13 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 00:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\ka8msxxc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: 2013-03-09 19:42; {0AA9101C-D3C1-4129-A9B7-D778C6A17F82}; c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\ka8msxxc.default\extensions\{0AA9101C-D3C1-4129-A9B7-D778C6A17F82}
FF - ExtSQL: 2013-03-09 19:44; rikaichan-jpen@polarcloud.com; c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\ka8msxxc.default\extensions\rikaichan-jpen@polarcloud.com
FF - user.js: extensions.claro.tlbrSrchUrl -
FF - user.js: extensions.claro.id - 280b71aa000000000000f46d049be6a2
FF - user.js: extensions.claro.appId - {C3110516-8EFC-49D6-8B72-69354F332062}
FF - user.js: extensions.claro.instlDay - 15658
FF - user.js: extensions.claro.vrsn - 1.8.3.10
FF - user.js: extensions.claro.vrsni - 1.8.3.10
FF - user.js: extensions.claro_i.vrsnTs - 1.8.3.1021:47
FF - user.js: extensions.claro.prtnrId - claro
FF - user.js: extensions.claro.prdct - claro
FF - user.js: extensions.claro.aflt - babsst
FF - user.js: extensions.claro_i.smplGrp - none
FF - user.js: extensions.claro.tlbrId - claro
FF - user.js: extensions.claro.instlRef - sst
FF - user.js: extensions.claro.dfltLng - en
FF - user.js: extensions.claro.excTlbr - false
FF - user.js: extensions.claro.admin - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Steam App 105400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 105600 - c:\program files\Steam\steam.exe
AddRemove-Steam App 20920 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 42910 - c:\program files\Steam\steam.exe
AddRemove-{92606477-9366-4D3B-8AE3-6BE4B29727AB} - c:\program files\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-13 10:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD740ADFD-00NLR5 rev.21.07QR5 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-8
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B12C2E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1764)
c:\windows\system32\WININET.dll
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\LClock\LC.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-03-13 10:29:37 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-13 16:29
.
Pre-Run: 14,286,417,920 bytes free
Post-Run: 14,874,488,832 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7E973916598FF8853DF8CFDE0D517F26

 

[Jay Pfoutz]

RogueKiller Scan

• Download RogueKiller from the following link and save it on your desktop:
  TechSpot
  Official Site (alternative
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.


TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[Josh RawR]

Tried running roguekiller.exe and im getting BSOD after it has started scanning for roughly 30 seconds

 

[Josh RawR]

Skipped roguekiller and ran tdsskiller.exe after that was through I was able to run roguekiller.exe with out BSOD hope the order doesn't matter that much o.o working on posting reports

 

[Josh RawR]

RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Josh [Admin rights]
Mode : Scan -- Date : 03/13/2013 16:17:07
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD740ADFD-00NLR5 +++++
--- User ---
[MBR] ac86bf5e5e5dd7e90628c9f968f2469c
[BSP] cf4a54397f50ccd337fa05020572d573 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 70896 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST1500DL003-9VT16L +++++
--- User ---
[MBR] bd21da5af842582b3a5a57029d583829
[BSP] 733448e2cf01f5649d187ea1b77d83f3 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1430796 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: Kingston DataTraveler 102 USB Device +++++
--- User ---
[MBR] 7ddffbba5cf1db8d04fad6b350deed1d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 1 | Size: 30559 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_03132013_02d1617.txt >>
RKreport[1]_S_03132013_02d1617.txt

RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Josh [Admin rights]
Mode : Remove -- Date : 03/13/2013 16:17:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD740ADFD-00NLR5 +++++
--- User ---
[MBR] ac86bf5e5e5dd7e90628c9f968f2469c
[BSP] cf4a54397f50ccd337fa05020572d573 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 70896 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST1500DL003-9VT16L +++++
--- User ---
[MBR] bd21da5af842582b3a5a57029d583829
[BSP] 733448e2cf01f5649d187ea1b77d83f3 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1430796 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: Kingston DataTraveler 102 USB Device +++++
--- User ---
[MBR] 7ddffbba5cf1db8d04fad6b350deed1d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 1 | Size: 30559 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_03132013_02d1617.txt >>
RKreport[1]_S_03132013_02d1617.txt ; RKreport[2]_D_03132013_02d1617.txt

 

[Josh RawR]

Tdsskiller report attached also Malwarebytes Anti-Malware has stopped giving me constant notifications about a harmful outgoing ip or something =D

 

[Josh RawR]

Fogot about fix shortcut step updated

RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Josh [Admin rights]
Mode : Shortcuts HJfix -- Date : 03/13/2013 16:43:25
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 19 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 75 / Fail 0
My documents: Success 1 / Fail 1
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 313 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[F:] \Device\Harddisk2\DP(1)0-0+5 -- 0x2 --> Restored

Finished : << RKreport[3]_SC_03132013_02d1643.txt >>
RKreport[1]_S_03132013_02d1617.txt ; RKreport[2]_D_03132013_02d1617.txt ; RKreport[3]_SC_03132013_02d1643.txt

 

[Jay Pfoutz]

avast! aswMBR

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Uncheck "Trace disk IO calls".
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives.

• Once the scan finishes click Save log to save the log to your Desktop
  
  
• Copy and paste the contents of aswMBR.txt back here for review
• Please also find MBR.dat on your Desktop, and rename it to MBRscan.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.

 

[Josh RawR]

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-03-13 20:27:34
-----------------------------
20:27:34.343 OS Version: Windows 5.1.2600 Service Pack 3
20:27:34.343 Number of processors: 4 586 0x2505
20:27:34.343 ComputerName: RAWR UserName: Josh
20:27:34.671 Initialize success
20:28:33.875 AVAST engine defs: 13031301
20:29:00.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-8
20:29:00.718 Disk 0 Vendor: WDC_WD740ADFD-00NLR5 21.07QR5 Size: 70911MB BusType: 3
20:29:00.718 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-1b
20:29:00.718 Disk 1 Vendor: ST1500DL003-9VT16L CC32 Size: 1430799MB BusType: 3
20:29:00.734 Disk 0 MBR read successfully
20:29:00.734 Disk 0 MBR scan
20:29:00.765 Disk 0 Windows XP default MBR code
20:29:00.765 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 70896 MB offset 63
20:29:00.765 Disk 0 scanning sectors +145195470
20:29:00.796 Disk 0 scanning C:\WINDOWS\system32\drivers
20:29:07.750 Service scanning
20:29:17.625 Modules scanning
20:29:21.359 AVAST engine scan C:\WINDOWS
20:29:25.703 AVAST engine scan C:\WINDOWS\system32
20:30:43.328 AVAST engine scan C:\WINDOWS\system32\drivers
20:30:48.687 AVAST engine scan C:\Documents and Settings\Josh
20:36:36.187 AVAST engine scan C:\Documents and Settings\All Users
20:45:28.703 Scan finished successfully
20:45:44.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Josh\Desktop\MBR.dat"
20:45:44.953 The log file has been saved successfully to "C:\Documents and Settings\Josh\Desktop\aswMBR.txt"

 

[Jay Pfoutz]

Please now run TDSSKiller again, and delete the TDSS File System.

 

[Josh RawR]

Ok now what?

 

[Jay Pfoutz]

Post new TDSSKiller log please.


Kaspersky GetSystemInfo Scan

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.

Set the slider to Maximum.

IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.

On the General tab, make sure all of the boxes are checked.

On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.

Click Create Report to run it.

It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

 

[Josh RawR]

TDSSKiller Log attached

 

[Josh RawR]

I'm getting denied when trying to post my link for GSI Parser Report its getting called spam

Edit : Found a way to get you the link though not through conventional methods

 

[Jay Pfoutz]

Excellent work!

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

Note: Absence of issues does not mean that you're protected in the future.

 

[Josh RawR]

I haven't noticed anything thing else

 

[Jay Pfoutz]

Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

Remove tools, temp files, old Restore Points

Please run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  

  :files
  ipconfig /flushdns /c
  
  :commands
  [CREATERESTOREPOINT]
  [CLEARALLRESTOREPOINTS]
  [emptyflash]
  [emptytemp]
  [emptyjava]
  [reboot]

• Then click the Run Fix button at the top.
• Note: The fix for OTL sometimes hides your Desktop and Start menu so the cleanup can be completed. Do not be alerted, as this is normal.
• It may open a log for you, but I don't need that.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[Josh RawR]

After clicking run fix it seems to freeze at some point tried twice now the first time I left it alone for about 20 minutes the second time being over an hour is this supposed to take a long time or is it just not working?

 

[Jay Pfoutz]

Try this instead:

CCleaner Temporary Files Cleaning

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

• Double-click the CCleaner shortcut on the desktop to start the program.
• A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
• On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
• Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

 

[Josh RawR]

Hmm well I figured out what was wrong and completed the last task you posted but only after staring at the front page for sometime waiting for a response only to noticed a few minutes ago the thread has progressed to a second page and I have been waiting for nothing

Results of screen317's Security Check version 0.99.61
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java(TM) 6 Update 37
Java 7 Update 9
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.5.502.110
Mozilla Firefox 12.0 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

[Jay Pfoutz]

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.


Firefox update

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > About Firefox > Check for Updates.

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.


Any other questions before I mark this topic solved?

 

[Jay Pfoutz]

Topic solved. √