Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Please DO NOT use this system for anything else apart from what I direct you to do until I have given you the all clear
I know you already run MBAM but please follow these instructions:
Double click your Malwarebytes desktop icon
Click the UPDATE tab at the top
Scan for and install any updates it finds
Then choose the SCANNER tab and run a FULL SCAN
Once finished if MBAM found anything please click Show Results
Make sure EVERYTHING has a check in the box next to it and then click Remove Selected
Post the MBAM log results back to this thread
NOTE: If MBAM encounters a file that is hard to remove it will prompt for a delete on reboot, answer yes to this and once rebooted please run another scan and post that scan's log results along with the log results from before reboot which can be found under the LOGS tab of Malwarebytes.
I need to see some additional information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Please COPY/PASTE the MBAM log and BOTH DDS logs back to this thread, Also please provide the log from the first time you run MBAM, it can be found under the Logs tab and will be dated of when you run MBAM, And please post the MBAM log from when you run it on you own <---Important I really need to see this log
Oh I forgot to mention the first MBAM that I ran was done in safe mode. The second was not (don't know if this matters or not but passing the info along to you).
Thank you for your help! I am still getting the 80072EFE error along with a Windows Defender error that it will not update either. I have also noticed (as of this morning) I have blocked start-up programs but for the time being I am leaving them blocked as I do not know what they are. Here is the first of TWO MBAM logs, the first I ran in safe mode this morning:
Memory Processes Infected: (No malicious items detected)
Memory Modules Infected: (No malicious items detected)
Registry Keys Infected: (No malicious items detected)
Registry Values Infected: (No malicious items detected)
Registry Data Items Infected: (No malicious items detected)
Folders Infected: (No malicious items detected)
Files Infected: (No malicious items detected)
And now the DDS log:
DDS (Ver_10-03-17.01) - NTFSx86 Run by Mike at 15:08:55.17 on Sun 06/06/2010 Internet Explorer: 8.0.6001.18904 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.904 [GMT -5:00]
AV: Defender Pro Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB} AV: Defender Pro Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} SP: Defender Pro Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911} SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Defender Pro Internet Security *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Defender Pro Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
Finally the DDS attach log. Again, thanks for your help and patience as I am novice at most of this
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume3 Install Date: 11/11/2008 7:37:52 AM System Uptime: 6/6/2010 1:41:14 PM (2 hours ago)
Motherboard: Dell Inc. | | 0RY007 Processor: Intel(R) Celeron(R) CPU 450 @ 2.20GHz | Socket 775 | 2194/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 283 GiB total, 189.271 GiB free. D: is FIXED (NTFS) - 15 GiB total, 9.772 GiB free. E: is CDROM () F: is Removable G: is Removable H: is Removable I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
==== Installed Programs ======================
32 Bit HP CIO Components Installer Acrobat.com Adobe AIR Adobe Flash Player 10 ActiveX Adobe Reader 9 Adobe Shockwave Player 11.5 ArcSoft Software Suite Browser Address Error Redirector BufferChm CareBears Catch A Star (remove only) CCScore Compatibility Pack for the 2007 Office system Copy Defender Pro 5-in-1 Dell-eBay Dell Best of Web Dell Dock Dell Getting Started Guide Dell Support Center (Support Software) Destinations DeviceDiscovery DJ_AIO_05_F4400_Software_Min DVD Shrink 3.2 EA Download Manager EDocs ESSCDBK ESScore ESSgui ESShelp ESSini ESSPCD ESSSONIC ESSTOOLS ESSvpaht ESSvpot F4400 Google Desktop Google Toolbar for Internet Explorer Google Update Helper GoToAssist 8.0.0.514 GPBaseService2 HelloKitty (remove only) HiJackThis HLPIndex HLPRFO Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Customer Participation Program 13.0 HP Deskjet F4400 Printer Driver Software 13.0 Rel .5 HP Imaging Device Functions 13.0 HP Print Projects 1.0 HP Smart Web Printing 4.60 HP Solution Center 13.0 HP Update HPPhotoGadget hpPrintProjects HPProductAssistant HPSSupply hpWLPGInstaller ImgBurn Intel(R) Graphics Media Accelerator Driver Intel(R) PRO Network Connections 12.1.11.0 Java(TM) 6 Update 7 JumpStart Artist JumpStart Explorers Kodak EasyShare software KSU LITTLEST PET SHOP™ Malwarebytes' Anti-Malware MarketResearch Microsoft .NET Framework 3.5 SP1 Microsoft Media Manager 1.5 Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Picture It! 2.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Works MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nikon Message Center Notifier OGA Notifier 2.0.0048.0 OTtBP OTtBPSDK PCDADDIN PCDHELP PictureProject QuickTime Realtek High Definition Audio Driver Roxio Creator Audio Roxio Creator Copy Roxio Creator Data Roxio Creator DE Roxio Creator Tools Roxio Express Labeler 3 Roxio Update Manager Scan SFR SFR2 SHASTA Shop for HP Supplies SKIN0001 SKINXSDK SmartWebPrinting SolutionCenter Spybot - Search & Destroy Status Strawberry Shortcake - Amazing Cookie Party The Digital Arts and Crafts Studio Toolbox TrayApp Update for Microsoft .NET Framework 3.5 SP1 (KB963707) VPRINTOL WebReg WinRAR archiver WIRELESS WONswap
The first thing we need to do is disable Spybot's Teatimer function as it interfere with the tools we are going to use, instructions for disabling TeaTimer below:
• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected. • On the left hand side, click on Tools, then click on the Resident Icon in the list. • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. • Click on the "System Startup" icon in the List • Uncheck the "TeaTimer" box and "OK" any prompts. • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted. • Exit Spybot S&D when done. • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
.
Next I need you to go to programs and features in control panel and remove the below items. If they were downloaded from a trusted and reliable source then you can keep them and just skip this bit.
Start (windows icon bottom left corner of screen)
Control panel
Add/Remove programs
SKIN0001 SKINXSDK
Uninstall
Reboot PC
This next bit is very important:
Please click the Windows key (the one with the Windows icon located on bottom left of Keyboard) > and copy/paste the bold writing regedit /e C:\regback.reg to the diagloge box and hit enter. Please wait until your loading icon (hour glass/spinning circle) finishes before continuing.
Then Please download OTM by OldTimer. Save it to your desktop.
Double click OTM.exe to start the tool.
Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Had no problem finding teatimer, etc in SpyBot. But in the next step I went into control panel and selected "uninstall a program" (there is no add/remove programs option in Vista that I am aware of). When I did this step I did not see SKIN0001 or SKINXSDK. I have no idea what they are so I do want them removed. I haven't made any further steps as I am stumped at this point. I do not see an option for "show hidden files" or anything like that when I go to the uninstall screen.
No problem. The more help the better. I will try the steps he gave me tomorrow (after 10pm here). I am off work until Friday and will have time to play around with this tomorrow and longer if needed.
My computer did not want to d/load OTM. Said it was an unsafe file but I d/loaded it anyway. I have no idea what any of this does so I am glad I have some decent help! Here are the results:
All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== REGISTRY ========== Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Run\\ not found. ========== FILES ========== C:\httpdwl.dat moved successfully. c:\windows\system32\bdod.bin moved successfully. ========== COMMANDS ==========
OTM by OldTimer - Version 3.1.12.2 log created on 06072010_081145
Files moved on Reboot... C:\Users\Mike\AppData\Local\Temp\Low\Google Toolbar\GoogleToolbarWelcome.log moved successfully. File C:\Users\Mike\AppData\Local\Temp\~DF2D78.tmp not found! File C:\Users\Mike\AppData\Local\Temp\~DF2D82.tmp not found! File C:\Users\Mike\AppData\Local\Temp\~DF2E31.tmp not found! File C:\Users\Mike\AppData\Local\Temp\~DF2E5E.tmp not found! File C:\Users\Mike\AppData\Local\Temp\~DF2E9F.tmp not found! File C:\Users\Mike\AppData\Local\Temp\~DF2EC2.tmp not found! C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. File C:\Windows\temp\flaD25F.tmp not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[1].aspx not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[2].aspx not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[3].aspx not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[4].aspx not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\7a324c767530774d384c494143546165[1].htm not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\ad_loader[1].php not found! C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\tpp[1].htm moved successfully. C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\results[1].aspx moved successfully. File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[1].html not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[2].html not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[3].html not found! C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\ad[1].aspx moved successfully. File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\pluck_1_4[1].js not found! File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\vodka-empire-1-what-vodka-empire[1].html%20 not found!
Sometimes some of the files I ask you to run will be flagged by Anti-Virus Programs as being malicious due to the capabilities of the file and what it can do. You done the right thing continuing with the download, anything I ask you to download and run should cause no harm to the system and is certainly not malicious.
YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Then please perform a rootkit scan:
Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply.
Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.
Please leave all active protection disabled while running the online scan
Run an online virus scan called Kaspersky from HERE.
1. At the main page. Press on " Accept". After reading the contents. 2. At the next window Select Update. Allow the Database to update. Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run. 3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete. 4. Select Scan Report. 5. If any threats were found they will appear in the report 6. Select "Save error report as" Then in the file name just type in kaspersky Under "save as type" select text .txt Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
Please post the ARK log and the Kaspersky log back to this thread.
I was unable to get Kaspersky to run. It would not give me an option to "accept" it just grayed out. Maybe it takes a while? Anyway, here is the ARK.txt
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-07 17:29:19 Windows 6.0.6002 Service Pack 2 Running: vw9zkyl2.exe; Driver: C:\Users\Mike\AppData\Local\Temp\kxldypod.sys
@echo off
cls
echo................Searching for File..............
echo...............Please be patient................
dir /a d /s "%systemdrive%\mouclass.sys" > log.txt
notepad log.txt
del %0
I ran it and it finished almost instantly. The black box that was running said ......searching for file...... please be patient..... file not found
Again, this part was instant but about 20 seconds later the log popped up and here is what it says (and I hope I did the above right. It working so fast makes me wonder if I did it right).
Volume in drive C is OS Volume Serial Number is 4462-9F49
Your doing really well, that was exactly what was meant to happen :emotion-2:
PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:
Combo-fix MUST be save to your desktop before running the tool
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only
You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix, Post back and we will install it manually.
DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should
Please include the C:\ComboFix.txt in your next reply for further review.
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
June 6th, 2010 10:00
Hi ,
Welcome to Dell Community Malware Removal Forums,
I'm K27 and i will be reviewing your log for you.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Please DO NOT use this system for anything else apart from what I direct you to do until I have given you the all clear
I know you already run MBAM but please follow these instructions:
NOTE: If MBAM encounters a file that is hard to remove it will prompt for a delete on reboot, answer yes to this and once rebooted please run another scan and post that scan's log results along with the log results from before reboot which can be found under the LOGS tab of Malwarebytes.
I need to see some additional information about what is happening in your machine.
Please perform the following scan:
- Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.com
- DDS.scr
- DDS.pif
- Double click on the DDS icon, allow it to run.
- A small box will open, with an explanation about the tool.
- When done, DDS will open two (2) logs
1. DDS.txt2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
Please COPY/PASTE the MBAM log and BOTH DDS logs back to this thread, Also please provide the log from the first time you run MBAM, it can be found under the Logs tab and will be dated of when you run MBAM,
And please post the MBAM log from when you run it on you own <---Important I really need to see this log
Thanks
K27.
MikeInFla
39 Posts
0
June 6th, 2010 14:00
Oh I forgot to mention the first MBAM that I ran was done in safe mode. The second was not (don't know if this matters or not but passing the info along to you).
MikeInFla
39 Posts
0
June 6th, 2010 14:00
Thank you for your help! I am still getting the 80072EFE error along with a Windows Defender error that it will not update either. I have also noticed (as of this morning) I have blocked start-up programs but for the time being I am leaving them blocked as I do not know what they are. Here is the first of TWO MBAM logs, the first I ran in safe mode this morning:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4171
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18904
6/6/2010 8:39:45 AM
mbam-log-2010-06-06 (08-39-45).txt
Scan type: Full scan (C:\|)
Objects scanned: 251245
Time elapsed: 33 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Mike\AppData\Local\Temp\Low\win1DD4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win1FFB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win37B9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win39FF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win3FF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win519E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win5403.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win616.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win6B64.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win6DC9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win8286.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win8558.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win9C6B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win9F2E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winA1A2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winB650.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winB913.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winBAEB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winD035.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winD26B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winEA2A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winEC31.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winEE48.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
Here is the second one after I noticed you replied to this thread (ran just a little while ago):
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4173
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
6/6/2010 2:56:46 PM
mbam-log-2010-06-06 (14-56-46).txt
Scan type: Full scan (C:\|)
Objects scanned: 254529
Time elapsed: 56 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
And now the DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 15:08:55.17 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.904 [GMT -5:00]
AV: Defender Pro Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Defender Pro Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Defender Pro Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Defender Pro Internet Security *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\AERTSrv.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://home.knology.net/index.php
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2081111
uSearch Bar =
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Defender Pro Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ ]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll c:\progra~1\google\google~2\GOEC62~1.DLL
============= SERVICES / DRIVERS ===============
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 MMIndexer;Media Manager Indexer;c:\program files\common files\microsoft shared\media manager\AIRSVCU.EXE [1997-7-15 136704]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-1 1153368]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-9-18 103944]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-20 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-20 251904]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 Arrakis3;Defender Pro Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-7 108176]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-11 30192]
=============== Created Last 30 ================
2010-06-05 15:37:17 0 d-----w- C:\MAIDEN
2010-06-04 23:44:27 0 d-----w- C:\SPIDERMAN3
2010-06-04 18:30:35 0 d-----w- c:\windows\system32\catroot2
2010-06-03 13:06:19 0 d-----w- c:\program files\Trend Micro
2010-06-02 18:07:10 0 d-----w- c:\program files\Media Manager
2010-06-02 18:06:54 0 d-----w- C:\My Pictures
2010-06-02 18:06:24 0 d-----w- c:\program files\Microsoft Picture It!
2010-06-01 21:23:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 22:29:59 132 ----a-w- C:\httpdwl.dat
2010-05-18 01:34:14 0 d-----w- c:\programdata\DVD Shrink
2010-05-18 01:34:12 0 d-----w- c:\program files\DVD Shrink
==================== Find3M ====================
2010-06-06 14:55:09 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-03 17:18:26 2656 ----a-w- c:\users\mike\appdata\roaming\wklnhst.dat
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 21:50:02 23111 ----a-w- c:\windows\hpqins15.dat
2010-02-25 00:39:00 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-25 00:39:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-25 00:39:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-14 21:53:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-09 19:15:13 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-11-28 15:52:44 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-11-28 15:52:44 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-11-28 15:52:44 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-11-11 21:20:25 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 15:10:13.78 ===============
Finally the DDS attach log. Again, thanks for your help and patience as I am novice at most of this
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 11/11/2008 7:37:52 AM
System Uptime: 6/6/2010 1:41:14 PM (2 hours ago)
Motherboard: Dell Inc. | | 0RY007
Processor: Intel(R) Celeron(R) CPU 450 @ 2.20GHz | Socket 775 | 2194/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 283 GiB total, 189.271 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 9.772 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
==== Installed Programs ======================
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
ArcSoft Software Suite
Browser Address Error Redirector
BufferChm
CareBears Catch A Star (remove only)
CCScore
Compatibility Pack for the 2007 Office system
Copy
Defender Pro 5-in-1
Dell-eBay
Dell Best of Web
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Destinations
DeviceDiscovery
DJ_AIO_05_F4400_Software_Min
DVD Shrink 3.2
EA Download Manager
EDocs
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
F4400
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist 8.0.0.514
GPBaseService2
HelloKitty (remove only)
HiJackThis
HLPIndex
HLPRFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 13.0
HP Deskjet F4400 Printer Driver Software 13.0 Rel .5
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPPhotoGadget
hpPrintProjects
HPProductAssistant
HPSSupply
hpWLPGInstaller
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.11.0
Java(TM) 6 Update 7
JumpStart Artist
JumpStart Explorers
Kodak EasyShare software
KSU
LITTLEST PET SHOP™
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft Media Manager 1.5
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Picture It! 2.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nikon Message Center
Notifier
OGA Notifier 2.0.0048.0
OTtBP
OTtBPSDK
PCDADDIN
PCDHELP
PictureProject
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
SFR
SFR2
SHASTA
Shop for HP Supplies
SKIN0001
SKINXSDK
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
Strawberry Shortcake - Amazing Cookie Party
The Digital Arts and Crafts Studio
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VPRINTOL
WebReg
WinRAR archiver
WIRELESS
WONswap
==== End Of File ===========================
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
June 6th, 2010 16:00
Hi Mikeinfla,
You are more than Welcome,
The first thing we need to do is disable Spybot's Teatimer function as it interfere with the tools we are going to use, instructions for disabling TeaTimer below:
• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• Click on the "System Startup" icon in the List
• Uncheck the "TeaTimer" box and "OK" any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.
• (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
.
Next I need you to go to programs and features in control panel and remove the below items. If they were downloaded from a trusted and reliable source then you can keep them and just skip this bit.
SKIN0001
SKINXSDK
This next bit is very important:
Please click the Windows key (the one with the Windows icon located on bottom left of Keyboard) > and copy/paste the bold writing regedit /e C:\regback.reg to the diagloge box and hit enter.
Please wait until your loading icon (hour glass/spinning circle) finishes before continuing.
Then Please download OTM by OldTimer. Save it to your desktop.
Double click OTM.exe to start the tool.
----------------------------------------------------------------------
:processes
explorer.exe
:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Run]
" "=-
:files
C:\httpdwl.dat
c:\windows\system32\bdod.bin
:commands
[emptytemp]
[start explorer]
[reboot]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Please post the OTM log back to this thread.
Thanks,
K27.
MikeInFla
39 Posts
0
June 6th, 2010 19:00
Had no problem finding teatimer, etc in SpyBot. But in the next step I went into control panel and selected "uninstall a program" (there is no add/remove programs option in Vista that I am aware of). When I did this step I did not see SKIN0001 or SKINXSDK. I have no idea what they are so I do want them removed. I haven't made any further steps as I am stumped at this point. I do not see an option for "show hidden files" or anything like that when I go to the uninstall screen.
Thanks,
Mike
Bugbatter
3 Apprentice
•
20.5K Posts
0
June 6th, 2010 21:00
Mike, I apologize for intruding in this thread. K27 and I are in different time zones and he is not online tonight.
These may go with your Kodak Easy Share software. Don't do anything with them until K27 has a chance to research those.MikeInFla
39 Posts
0
June 6th, 2010 21:00
Bugbatter:
No problem. The more help the better. I will try the steps he gave me tomorrow (after 10pm here). I am off work until Friday and will have time to play around with this tomorrow and longer if needed.
Thanks,
Mike
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
June 7th, 2010 00:00
Hi Mikeinfla,
Bugbatter is quite right, the programs I listed to be removed are related to your Kodak software and are quite save to keep.
It was last for me when I posted my last replay and was a mistake on my part, Sorry about that. :emotion-10:
Please continue with the instructions, SKIPPING the part about removing SKIN0001 and SKINXSDK.
Thanks
K27
MikeInFla
39 Posts
0
June 7th, 2010 07:00
My computer did not want to d/load OTM. Said it was an unsafe file but I d/loaded it anyway. I have no idea what any of this does so I am glad I have some decent help! Here are the results:
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Run\\ not found.
========== FILES ==========
C:\httpdwl.dat moved successfully.
c:\windows\system32\bdod.bin moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Mike
->Temp folder emptied: 6496888 bytes
->Temporary Internet Files folder emptied: 117091882 bytes
->Java cache emptied: 2654986 bytes
->Flash cache emptied: 31575 bytes
User: Public
User: Rhonda
->Temp folder emptied: 4971882 bytes
->Temporary Internet Files folder emptied: 181250005 bytes
->Java cache emptied: 5149716 bytes
->Flash cache emptied: 9610 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 27738427 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 16689132 bytes
RecycleBin emptied: 14010029495 bytes
Total Files Cleaned = 13,706.00 mb
OTM by OldTimer - Version 3.1.12.2 log created on 06072010_081145
Files moved on Reboot...
C:\Users\Mike\AppData\Local\Temp\Low\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
File C:\Users\Mike\AppData\Local\Temp\~DF2D78.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2D82.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2E31.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2E5E.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2E9F.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2EC2.tmp not found!
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File C:\Windows\temp\flaD25F.tmp not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[1].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[2].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[3].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[4].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\7a324c767530774d384c494143546165[1].htm not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\ad_loader[1].php not found!
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\tpp[1].htm moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\results[1].aspx moved successfully.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[1].html not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[2].html not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[3].html not found!
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\ad[1].aspx moved successfully.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\pluck_1_4[1].js not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\vodka-empire-1-what-vodka-empire[1].html%20 not found!
Registry entries deleted on Reboot...
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
June 7th, 2010 11:00
Hi,
Good work :emotion-2:
Sometimes some of the files I ask you to run will be flagged by Anti-Virus Programs as being malicious due to the capabilities of the file and what it can do.
You done the right thing continuing with the download, anything I ask you to download and run should cause no harm to the system and is certainly not malicious.
YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Then please perform a rootkit scan:
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.
Please leave all active protection disabled while running the online scan
Run an online virus scan called Kaspersky from HERE.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
Please post the ARK log and the Kaspersky log back to this thread.
Thanks,
K27.
MikeInFla
39 Posts
0
June 7th, 2010 16:00
I was unable to get Kaspersky to run. It would not give me an option to "accept" it just grayed out. Maybe it takes a while? Anyway, here is the ARK.txt
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 17:29:19
Windows 6.0.6002 Service Pack 2
Running: vw9zkyl2.exe; Driver: C:\Users\Mike\AppData\Local\Temp\kxldypod.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenProcess [0xAA054C90]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenThread [0xAA054D7E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateProcess [0xAA054BF4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateThread [0xAA054EC4]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 3F1 81EEAB54 2 Bytes [90, 4C] {NOP ; DEC ESP}
.text ntkrnlpa.exe!KeSetEvent + 3F4 81EEAB57 1 Byte [AA]
.text ntkrnlpa.exe!KeSetEvent + 40D 81EEAB70 2 Bytes [7E, 4D] {JLE 0x4f}
.text ntkrnlpa.exe!KeSetEvent + 410 81EEAB73 1 Byte [AA]
.text ntkrnlpa.exe!KeSetEvent + 621 81EEAD84 6 Bytes [F4, 4B, 05, AA, C4, 4E]
.text ...
.rsrc C:\Windows\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0x8BB21014]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 76EC4D34 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtWriteVirtualMemory 76EC5674 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!KiUserExceptionDispatcher 76EC5DC8 5 Bytes JMP 0081000A
.text C:\Windows\system32\svchost.exe[1312] ole32.dll!CoCreateInstance 766F9EA6 5 Bytes JMP 00A5000A
.text C:\Windows\system32\svchost.exe[1312] USER32.dll!GetCursorPos 76B10B88 5 Bytes JMP 01B8000A
.text C:\Windows\Explorer.EXE[3604] ntdll.dll!NtProtectVirtualMemory 76EC4D34 5 Bytes JMP 007D000A
.text C:\Windows\Explorer.EXE[3604] ntdll.dll!NtWriteVirtualMemory 76EC5674 5 Bytes JMP 0082000A
.text C:\Windows\Explorer.EXE[3604] ntdll.dll!KiUserExceptionDispatcher 76EC5DC8 5 Bytes JMP 007C000A
.text C:\Windows\system32\wuauclt.exe[4024] ntdll.dll!NtProtectVirtualMemory 76EC4D34 5 Bytes JMP 000E000A
.text C:\Windows\system32\wuauclt.exe[4024] ntdll.dll!NtWriteVirtualMemory 76EC5674 5 Bytes JMP 0010000A
.text C:\Windows\system32\wuauclt.exe[4024] ntdll.dll!KiUserExceptionDispatcher 76EC5DC8 5 Bytes JMP 000D000A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe[836] @ C:\Windows\system32\WS2_32.dll [NSI.dll!NsiSetAllParameters] [77021AC8] C:\Windows\system32\NSI.dll (NSI User-mode interface DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe[836] @ C:\Windows\system32\WS2_32.dll [NSI.dll!NsiGetParameter] [770219DB] C:\Windows\system32\NSI.dll (NSI User-mode interface DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe[836] @ C:\Windows\system32\WS2_32.dll [NSI.dll!NsiGetAllParameters] [77021630] C:\Windows\system32\NSI.dll (NSI User-mode interface DLL/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E57817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73EAA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E5BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E4F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E4E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E88395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73E5DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E4FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E4FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73EDCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73E7C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E4D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E46853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E4687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E52AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys
AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 85A49D01
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\DRIVERS\mouclass.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
MikeInFla
39 Posts
0
June 7th, 2010 21:00
Finally got Kaspersky to scan but it has been going for over 3 hours. It just finished and found nothing wrong
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
June 8th, 2010 11:00
Hi,
Even though Kaspersky came back clean, you are still infected with a rootkit called TDL3. We can remove this, but we still have work to do.
Please Open notepad and copy/paste the text between the dotted lines to the notepad page. (Note: DO NOT copy the lines, just the text between them)
==========================================================
==========================================================
Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
Double click on search.bat & allow it to run.
Once the search has finished there will be a notepad file saved to your desktop, please copy/paste the contents of the notepad file be to me.
Thanks
K27
MikeInFla
39 Posts
0
June 8th, 2010 12:00
I ran it and it finished almost instantly. The black box that was running said ......searching for file...... please be patient..... file not found
Again, this part was instant but about 20 seconds later the log popped up and here is what it says (and I hope I did the above right. It working so fast makes me wonder if I did it right).
Volume in drive C is OS
Volume Serial Number is 4462-9F49
Directory of C:\Windows\System32\drivers
01/20/2008 09:23 PM 34,360 mouclass.sys
1 File(s) 34,360 bytes
Directory of C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_3dfa3917
11/02/2006 04:49 AM 31,848 mouclass.sys
1 File(s) 31,848 bytes
Directory of C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_8b7c4328
01/20/2008 09:23 PM 34,360 mouclass.sys
1 File(s) 34,360 bytes
Directory of C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.16609_none_4c56cf70d52c8670
01/20/2008 09:09 PM 34,360 mouclass.sys
1 File(s) 34,360 bytes
Directory of C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.20734_none_4cbafb05ee66fb5a
01/20/2008 09:09 PM 34,360 mouclass.sys
1 File(s) 34,360 bytes
Directory of C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6001.18000_none_4e340b7cd25b3352
01/20/2008 09:23 PM 34,360 mouclass.sys
1 File(s) 34,360 bytes
Total Files Listed:
6 File(s) 203,648 bytes
0 Dir(s) 227,067,691,008 bytes free
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
June 8th, 2010 14:00
Hi Mikeinfla,
Your doing really well, that was exactly what was meant to happen :emotion-2:
PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:
Combo-fix MUST be save to your desktop before running the tool
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only
You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.
DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should
Please include the C:\ComboFix.txt in your next reply for further review.
Thanks