Unsolved
This post is more than 5 years old
8 Posts
0
4131
September 19th, 2010 02:00
Cannot run Windows Update - Error Code 80072EFE
Hi,
My computer seems to be infected by Malware and I cannot get rid of it. Often getting bogus/fake virus warnings in IE. Most annoying issue is I cannot run Windows Update at all: getting Error Code 80072EFE. Can't even connect to the Windows Update website: getting error "Internet Explorer cannot display the webpage" (as if that site doesn't exist)
HJT log pasted below. Thanks for your help.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:54:27 PM, on 19/09/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\taskeng.exe
C:\Users\Mary.Mary-PC\Documents\Downloads\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.risk.sungard.com/iNotes6W.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaseya Agent (KACLRTCH48056390693591) - Kaseya International Limited - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9524 bytes
kevinf80_1d0ac6
1.1K Posts
0
September 19th, 2010 04:00
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent uTorrent etc. and similar programs.
Please proceed as follows :-
Step 1
Download and scan with CCleaner
1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.
Step 2
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
We need to see some additional information about what is happening in your machine.
Please perform the following scan:
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
Step 4
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
marylocke
8 Posts
0
September 19th, 2010 07:00
Hi Kevin,
Thanks for your instructions. The requested logs are below.
Kind regards - Mary
MALWAREBYTES:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4650
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
19/09/2010 10:38:31 PM
mbam-log-2010-09-19 (22-38-31).txt
Scan type: Quick scan
Objects scanned: 162178
Time elapsed: 10 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS.TXT:
DDS (Ver_09-09-29.01) - NTFSx86
Run by Mary at 22:41:31.92 on Sun 19/09/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2037.635 [GMT 10:00]
AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Mary.Mary-PC\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.smh.com.au/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=3070822
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ ]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: kaseyasp.dll
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://webmail.risk.sungard.com/iNotes6W.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 KACLRTCH48056390693591;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2008-7-8 806912]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-23 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-13 102448]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2008-7-8 13824]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-19 38224]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-17 21504]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-22 30192]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2007-9-21 28928]
=============== Created Last 30 ================
2010-09-19 22:25
2010-09-19 22:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 22:25 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-09-19 22:25
2010-09-19 22:25
2010-09-19 22:25
2010-09-19 21:15
2010-09-06 21:28
2010-09-05 23:05
2010-09-05 09:09
2010-09-05 09:03 292,840 a------- c:\windows\system32\drivers\aueywyol.sys
2010-08-29 16:37 292,840 a------- c:\windows\system32\drivers\vdzpzltx.sys
2010-08-29 13:08
2010-08-29 11:01
2010-08-29 11:01
2010-08-29 11:01
2010-08-29 11:00
2010-08-25 22:12
==================== Find3M ====================
2010-06-26 16:05 916,480 a------- c:\windows\system32\wininet.dll
2010-06-26 16:02 109,056 a------- c:\windows\system32\iesysprep.dll
2010-06-26 16:02 71,680 a------- c:\windows\system32\iesetup.dll
2010-06-26 14:25 133,632 a------- c:\windows\system32\ieUnatt.exe
2010-06-21 23:37 2,037,760 a------- c:\windows\system32\win32k.sys
2010-05-20 22:13 143,360 a------- c:\windows\inf\infstrng.dat
2010-05-20 22:13 143,360 a------- c:\windows\inf\infstor.dat
2010-05-20 22:13 51,200 a------- c:\windows\inf\infpub.dat
2010-01-23 22:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-10 21:24 174 a--sh--- c:\program files\desktop.ini
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-11-07 10:50 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-13 10:22 16,384 a--sh--- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2010-03-24 07:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010032420100325\index.dat
2010-04-13 10:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010041320100414\index.dat
2010-04-13 10:22 16,384 a--sh--- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\iecompatcache\index.dat
2010-04-13 10:22 16,384 a--sh--- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\ietldcache\index.dat
2010-04-13 10:22 65,536 a--sh--- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\privacie\index.dat
2010-04-13 08:02 16,384 a--sh--- c:\windows\system32\config\systemprofile\documents\%appdata%\microsoft\windows\ietldcache\index.dat
2007-08-23 06:03 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT
============= FINISH: 22:45:20.91 ===============
(DDS) ATTACH.TXT:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 22/08/2007 10:10:35 PM
System Uptime: 19/09/2010 2:17:02 PM (8 hours ago)
Motherboard: Dell Inc. | | 0DT492
Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | Microprocessor | 1667/166mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 136 GiB total, 79.184 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.141 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP555: 19/08/2010 9:53:51 AM - Scheduled Checkpoint
RP556: 20/08/2010 10:24:24 AM - Scheduled Checkpoint
RP557: 21/08/2010 10:58:24 AM - Scheduled Checkpoint
RP558: 24/08/2010 9:44:26 AM - Scheduled Checkpoint
RP577: 5/09/2010 9:38:15 AM - Scheduled Checkpoint
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bonjour
Broadcom Management Programs
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner
Conexant HDA D330 MDC V.92 Modem
Dell Network Assistant
Dell Support Center
Dell System Customization Wizard
Dell Touchpad
DellSupport
Digital Line Detect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
E2 Sales 472
Eraser 6.0.7.1893
Google Desktop
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Huge Pine USB to UART Driver
iTunes
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6
Kaseya Agent (mary-pc.10.ljh-manly - spoc.itsupportdesk.com.au)
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaDirect
Micrografx Picture Publisher 7
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage 2000
Microsoft Image Composer 1.5
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Diagnostic Tool
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
OGA Notifier 2.0.0048.0
OutlookAddinSetup
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RuppLynx 6.2
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Sonic Activation Module
Spelling Dictionaries Support For Adobe Reader 8
SUPERAntiSpyware
Symantec AntiVirus
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2279264)
URL Assistant
User's Guides
VNC Enterprise Edition E4.4.3
Xvid 1.1.3 final uninstall
==== Event Viewer Messages From Past Week ========
19/09/2010 2:40:57 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
19/09/2010 2:19:03 PM, Error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
18/09/2010 9:57:29 AM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting.
16/09/2010 10:43:57 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
14/09/2010 8:41:27 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
14/09/2010 8:39:01 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl
13/09/2010 6:09:03 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
==== End Of File ===========================
SECURITY CHECKS (checkup.txt):
Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
Symantec AntiVirus VPTray.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
kevinf80_1d0ac6
1.1K Posts
0
September 19th, 2010 07:00
Proceed as follows please :-
Step 1
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Ensure you have disabled your Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
*EXTRA NOTES*
Step 2
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Copy the content From between the dotted lines into the main textfield:
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt--------------------------------------------------------
:Dir
C:\_OTM
--------------------------------------------------------
Post the logs from Combofix and System Look in next reply please.
Kevin
marylocke
8 Posts
0
September 19th, 2010 08:00
Hi Kevin,
OK, here are the logs you requested:
COMBOFIX:
ComboFix 10-09-17.04 - Mary 20/09/2010 0:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2037.779 [GMT 10:00]
Running from: c:\users\Mary.Mary-PC\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\drivers\volmgrx.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.
2010-09-19 14:25 . 2010-09-19 14:26 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\temp
2010-09-19 14:25 . 2010-09-19 14:25 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-09-19 14:25 . 2010-09-19 14:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\programdata\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 11:15 . 2010-09-19 11:15 -------- d-----w- c:\program files\CCleaner
2010-09-06 11:28 . 2010-09-06 11:32 -------- d-----w- c:\windows\system32\catroot2(1384)
2010-09-05 13:05 . 2010-09-05 13:05 -------- d-----w- C:\_OTM
2010-09-04 23:09 . 2010-09-14 02:00 -------- d-----w- C:\867e58437be2a386f20e1faceee160
2010-09-04 23:03 . 2010-09-04 23:03 292840 ----a-w- c:\windows\system32\drivers\aueywyol.sys
2010-08-29 06:37 . 2010-08-29 06:37 292840 ----a-w- c:\windows\system32\drivers\vdzpzltx.sys
2010-08-29 03:08 . 2010-09-05 10:33 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-29 01:04 . 2010-09-04 13:26 63488 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-29 01:04 . 2010-08-29 01:04 52224 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-29 01:04 . 2010-09-04 13:26 117760 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-29 01:00 . 2010-08-29 01:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-25 12:44 . 2010-08-25 12:44 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\Eraser 6
2010-08-25 12:12 . 2010-08-25 12:12 -------- d-----w- c:\program files\Eraser
2010-08-25 10:05 . 2010-08-25 10:05 680 ----a-w- c:\users\Mary.Mary-PC\AppData\Local\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 02:00 . 2007-08-22 12:26 -------- d-----w- c:\programdata\Microsoft Help
2010-09-14 02:00 . 2007-09-04 13:40 -------- d-----w- c:\program files\Microsoft Image Composer
2010-09-14 02:00 . 2007-09-03 13:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-14 02:00 . 2007-08-22 12:33 -------- d-----w- c:\program files\Google
2010-09-14 02:00 . 2007-08-22 12:28 -------- d-----w- c:\program files\Microsoft Works
2010-06-26 06:05 . 2010-08-16 23:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-16 23:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-16 23:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-16 23:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-08-22 20:03 . 2007-08-22 19:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-11 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-05-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-21 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-21 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-21 133912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-06 149280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-30 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-11-27 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-04-09 979344]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-22 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-8-22 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-763004562-733847127-3944764089-1003]
"EnableNotificationsRef"=dword:00000002
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-30 30192]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-27 122008]
R3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\Drivers\usb2vcom.sys [2005-09-02 28928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 KACLRTCH48056390693591;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [2010-04-06 806912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.SYS [2010-02-25 13824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smh.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: kaseyasp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-20 00:26
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-763004562-733847127-3944764089-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4AF73A92-7418-F607-0CC2-65EA1A3ECF64}*]
"jakandigjcijdjiobmai"=hex:64,62,67,62,67,64,6f,6a,61,67,6a,6b,68,65,69,62,63,
68,6b,69,69,6e,63,6f,69,6b,62,65,6f,69,69,68,63,6f,6a,6d,6a,63,6e,6a,00,fe
"hajamfodneeobhaj"=hex:61,62,62,63,65,62,64,6f,6a,64,64,6b,6e,70,64,64,64,62,
6b,66,63,6f,61,6a,6b,6a,61,66,63,6f,6d,6f,62,6a,00,04
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-20 00:29:00
ComboFix-quarantined-files.txt 2010-09-19 14:28
Pre-Run: 84,903,649,280 bytes free
Post-Run: 84,883,566,592 bytes free
- - End Of File - - D19C61726A9DEACDD33D1B167A6B1921
SYSTEM LOOK:
SystemLook 04.09.10 by jpshortstuff
Log created at 00:35 on 20/09/2010 by Mary
Administrator - Elevation successful
========== Dir ==========
C:\_OTM - Parameters: "(none)"
---Files---
None found.
---Folders---
MovedFiles d------ [13:05 05/09/2010]
-= EOF =-
kevinf80_1d0ac6
1.1K Posts
0
September 19th, 2010 10:00
Please proceed as follows :-
Step 1
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text the dotted lines below into it:
-----------------------------------------------------------------
KillAll::
File::
c:\windows\system32\drivers\vdzpzltx.sys
c:\windows\system32\drivers\aueywyol.sys
Folder::
C:\867e58437be2a386f20e1faceee160
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 0 (0x0)
RegNull::
[HKEY_USERS\S-1-5-21-763004562-733847127-3944764089-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4AF73A92-7418-F607-0CC2-65EA1A3ECF64}*]
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
-----------------------------------------------------------------
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 2
Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on " Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
The following animation may help.
Kaspersky Gif
Post logs from Combofix and Kaspersky in your reply, also give update on system. Any issues?
Kevin
marylocke
8 Posts
0
September 20th, 2010 15:00
Hi Kevin,
Looks like your magic has worked. I can now run a windows update, and I have - so far - not seen any of those fake virus warnings.
Logs below:
ComboFix 10-09-17.04 - Mary 20/09/2010 23:24:34.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2037.947 [GMT 10:00]
Running from: c:\users\Mary.Mary-PC\Desktop\ComboFix.exe
Command switches used :: c:\users\Mary.Mary-PC\Desktop\CFScript.txt
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
FILE ::
"c:\windows\system32\drivers\aueywyol.sys"
"c:\windows\system32\drivers\vdzpzltx.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\867e58437be2a386f20e1faceee160
c:\867e58437be2a386f20e1faceee160\mrt.exe
c:\867e58437be2a386f20e1faceee160\mrtstub.exe
c:\windows\system32\drivers\aueywyol.sys
c:\windows\system32\drivers\vdzpzltx.sys
.
((((((((((((((((((((((((( Files Created from 2010-08-20 to 2010-09-20 )))))))))))))))))))))))))))))))
.
2010-09-20 13:30 . 2010-09-20 13:35 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Mary(7)\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Mary(6)\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\programdata\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 11:15 . 2010-09-19 11:15 -------- d-----w- c:\program files\CCleaner
2010-09-06 11:28 . 2010-09-06 11:32 -------- d-----w- c:\windows\system32\catroot2(1384)
2010-09-05 13:05 . 2010-09-05 13:05 -------- d-----w- C:\_OTM
2010-08-29 03:08 . 2010-09-05 10:33 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-29 01:04 . 2010-09-04 13:26 63488 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-29 01:04 . 2010-08-29 01:04 52224 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-29 01:04 . 2010-09-04 13:26 117760 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-29 01:00 . 2010-08-29 01:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-25 12:44 . 2010-08-25 12:44 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\Eraser 6
2010-08-25 12:12 . 2010-08-25 12:12 -------- d-----w- c:\program files\Eraser
2010-08-25 10:05 . 2010-08-25 10:05 680 ----a-w- c:\users\Mary.Mary-PC\AppData\Local\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 02:00 . 2007-08-22 12:26 -------- d-----w- c:\programdata\Microsoft Help
2010-09-14 02:00 . 2007-09-04 13:40 -------- d-----w- c:\program files\Microsoft Image Composer
2010-09-14 02:00 . 2007-09-03 13:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-14 02:00 . 2007-08-22 12:33 -------- d-----w- c:\program files\Google
2010-09-14 02:00 . 2007-08-22 12:28 -------- d-----w- c:\program files\Microsoft Works
2010-06-26 06:05 . 2010-08-16 23:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-16 23:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-16 23:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-16 23:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-08-22 20:03 . 2007-08-22 19:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-11 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-05-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-21 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-21 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-21 133912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-06 149280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-30 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-11-27 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-04-09 979344]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-22 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-8-22 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-763004562-733847127-3944764089-1003]
"EnableNotificationsRef"=dword:00000002
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-30 30192]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-27 122008]
R3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\Drivers\usb2vcom.sys [2005-09-02 28928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 KACLRTCH48056390693591;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [2010-04-06 806912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.SYS [2010-02-25 13824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smh.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: kaseyasp.dll
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\STacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Eraser\Eraser.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\ehome\ehmsas.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
.
**************************************************************************
.
Completion time: 2010-09-20 23:40:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-20 13:40
ComboFix2.txt 2010-09-19 14:29
Pre-Run: 84,670,377,984 bytes free
Post-Run: 84,366,934,016 bytes free
- - End Of File - - 77F905A34DA4F1C6E3D4FAC259517408
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 21, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 20, 2010 05:49:11
Records in database: 4226980
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 131957
Threats found: 16
Infected objects found: 62
Suspicious objects found: 1
Scan duration: 02:43:49
File name / Threat / Threats count
C:\E2Sales\PAXVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000.VBN Infected: Virus.Win32.TDSS.b 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gr 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gs 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gt 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80001.VBN Infected: Virus.Win32.TDSS.b 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80000\4CE9936A.VBN Infected: Trojan.Win32.Oficla.ln 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF00000.VBN Infected: Virus.Win32.TDSS.b 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15DC0000.VBN Infected: Trojan.Win32.Inject.aowv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000.VBN Infected: Virus.Win32.TDSS.b 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gr 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gs 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gt 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80001.VBN Infected: Virus.Win32.TDSS.b 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80000\4CE9936A.VBN Infected: Trojan.Win32.Oficla.ln 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF00000.VBN Infected: Virus.Win32.TDSS.b 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15DC0000.VBN Infected: Trojan.Win32.Inject.aowv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst Infected: Trojan.Win32.FraudPack.gen 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst Infected: Exploit.HTML.Iframe.FileDownload.bz 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost Infected: Trojan-Downloader.JS.Pegel.bt 2
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost Infected: Trojan-Downloader.JS.Agent.foz 4
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost Infected: Packed.Win32.Krap.x 1
Selected area has been scanned.
kevinf80_1d0ac6
1.1K Posts
0
September 20th, 2010 16:00
Hiya marylocke,
Good to hear that your system is starting to respond the way it should. Still a bit of work to do before we can clean up and set you free. Kaspersky has identified numerous entries, fortunately most of these are already quaratined and therefore safe. The remaining entries we have to deal with as follows :-
Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.
-------------------------------------------------------------------
:Files
C:\E2Sales\PAXVNC.exe
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost
:Commands
[EmptyFlash]
[EmptyTemp]
[Purity]
[Reboot]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Post the log from OTM and letme know of any remaining issues in your reply,
Kevin.
marylocke
8 Posts
0
September 20th, 2010 22:00
Hi Kevin,
Before I do this, I just wanted to check with you that OTM isn't going to delete or otherwise corrupt the files in question. I am confident this isn't going to happen for the Outlook files; but E2Sales is an application I need for my work so just wanted to double-check, especially as the Kaspersky log says 'not-a-virus'.
Cheers - Mary
kevinf80_1d0ac6
1.1K Posts
0
September 21st, 2010 02:00
The term not a virus does not mean it aint malicious, Kaspersky has flagged that executible PAXVNC.exe as malicious. That is the reason I like to use Kaspersky online scan, it only identifies and does not kill. Likewise with OTM, any file/folder in the list is moved to the C:\_OTM folder, if it is subsequently found to be needed and in fact harmless we can move it back.
Likewise with the other two entries, the full archive will be moved, is that a problem for you? Please bear in mind when we clean up at the end the OTM folder will be deleted Leave OTM for now.
We need to upload a file to Jotti
1. Click HERE to get to Jotti's site.
2. At the top of the Jotti window, use the Browse button to locate the following file on your system:
C:\E2Sales\PAXVNC.exe
3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.
4. Please provide me with the results of the analysis.
Upload a File to Virustotal
Please visit Virustotal
Lets see what report we get back from those two and take it from there. Regarding the other two entries:
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost
Can you navigate to each one in turn, right click it, do you have the option to scan with your AV and Malwarebytes. If so do each in turn and see what results you get.
Post back with the results from Jotti and VirusTotal. Also results from Outlook archives.
Kevin.
marylocke
8 Posts
0
September 21st, 2010 05:00
Hi Kevin,
The Jotti results all have 'Found Nothing', except for Kaspersky, which says "not-a-virus:RemoteAdmin.Win32.WinVNC-based.c":
The Virus Total result is as follows:
not reviewed
Safety score: -
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
publisher....: UltraVnc
copyright....: Copyright (C) UltraVnc
product......: UltraVncSC
description..: UltraVnc Self-Extract Setup
original name: UltraVncSC
internal name: UltraVncSC
file version.: 4, 10, 0, 1
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
[[ basic data ]]
entrypointaddress: 0x1215F
timedatestamp....: 0x41EAA425 (Sun Jan 16 17:28:05 2005)
machinetype......: 0x14c (I386)
[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x12F4E, 0x13000, 6.42, c91ec8f2d7d6f1e35416df5fe732278b
.rdata, 0x14000, 0x39F0, 0x3A00, 4.33, 861bb8b297f369ef773dc6c7b125b37f
.data, 0x18000, 0x9F0, 0x600, 3.84, 53b3b978572819498207ab8228dc2ea8
.rsrc, 0x19000, 0xCBC, 0xE00, 3.23, 50f449b68df478f383134021eb761e62
[[ 5 import(s) ]]
COMCTL32.dll: -
KERNEL32.dll: DeleteCriticalSection, InitializeCriticalSection, CloseHandle, WaitForMultipleObjects, SetEvent, CreateThread, WaitForSingleObject, ResetEvent, VirtualAlloc, VirtualFree, MultiByteToWideChar, WideCharToMultiByte, GetLastError, CompareStringW, CompareStringA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileAttributesA, SetFileAttributesW, RemoveDirectoryA, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, GetShortPathNameA, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, SetLastError, FindNextFileA, CreateFileA, CreateFileW, GetFileSize, SetFilePointer, ReadFile, SetFileTime, WriteFile, SetEndOfFile, CreateEventA, LeaveCriticalSection, EnterCriticalSection, Sleep, CreateProcessA, GetCommandLineW, GetModuleHandleA, GetStartupInfoA
USER32.dll: DestroyWindow, PostMessageA, ShowWindow, MessageBoxA, KillTimer, EndDialog, SendMessageA, GetDlgItem, SetTimer, MessageBoxW, SetWindowTextW, SetWindowTextA, LoadStringW, LoadStringA, CharPrevA, DialogBoxParamA, SetWindowLongA, GetWindowLongA
OLEAUT32.dll: -, -
MSVCRT.dll: _controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, _except_handler3, __1type_info@@UAE@XZ, memcpy, free, malloc, memmove, _purecall, memcmp, _CxxThrowException, __CxxFrameHandler, __2@YAPAXI@Z, __3@YAXPAX@Z
As for those Outlook files
Both archive2.pst and outlook2.ost show no results from my Anti-virus scan, and the following from Malwarebytes (identical report for each file):
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4650
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
21/09/2010 9:11:56 PM
mbam-log-2010-09-21 (21-11-56).txt
Scan type: Quick scan
Objects scanned: 1
Time elapsed: 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
kevinf80_1d0ac6
1.1K Posts
0
September 21st, 2010 08:00
There are times when security programs will flag perfectly good applications as malicious because of how they work. These are classed as fasle positives or FP for short. If you are quite happy to accept those flagged entries then that is fine by me.
Proceed as follows please :-
Step 1
Remove Combofix now that we're done with it
The above procedure will delete the following:
Step 2
Step 3
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
Go to Start > Control Panel, double-click on Uninstall a Program and remove all older versions of Java. But not JRE - 6 update 10 and above These are removed automatically with the new installer.
If using Windows Vista or Windows 7 and the installer refuses to launch due to insufficient user permissions, then Right Click and Run As Administrator.
If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.
Note:
The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:
Step 4
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.
Please go to the link below to update.
Adobe Reader Untick the Free McAfee® Security Scan Plus (optional) unless you want it.
Step 5
Download and scan with CCleaner
1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.
Post back and let me know if all went OK, especially the Combofix uninstall. Also letme know if you have any remaining issues.
Kevin.
marylocke
8 Posts
0
September 22nd, 2010 05:00
Hi Kevin,
All good. Uninstalled ComboxFix fine (took me a few tries before I paid attention to the need for that space before "/"!)
All other steps completed successfully. CCleaner is a neat app!
Thanks a lot for all your help. My computer and I are eternally grateful to you!
Mary
kevinf80_1d0ac6
1.1K Posts
0
September 22nd, 2010 05:00
Good to hear all went well with the clean up,
Here are some tips to reduce the potential for malware infection in the future; I strongly recommend that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.
You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
Firefox,
Opera, and
Chrome.
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.
These browser add-ons will help to make your browser safer:
Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:
Available for Firefox and Internet Explorer.
Green to go,
Yellow for caution, and
Red to stop.
Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.
These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.
Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.
Please reply so I know you have read this, its been a pleasure to work with you.
Take care,
Kevin
marylocke
8 Posts
0
September 22nd, 2010 06:00
Thanks Kevin. I will take your tips and recommendations on board.
Cheers,
Mary
kevinf80_1d0ac6
1.1K Posts
0
September 22nd, 2010 07:00
Since this issue appears to be resolved the topic has been closed. Glad we could help.:emotion-21:
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.