Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. *Please note also that not all of our tools work on 64-bit systems, so we may be limited in our procedures.
* The presence of windows error codes may indicate hardware problems and could limit the success of infection removal.
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
Make sure that at least the first two check boxes are ticked
Press OK
Press YES to create the folder.
Let me know after you have done that, so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs
1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
Copy/paste both logs to your reply on the forum. Do not attach them.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
DDS (Ver_10-11-27.01) - FAT32x86 Run by Test at 10:17:09.06 on Mon 11/29/2010 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1254 [GMT -7:00]
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-27.01)
Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 6/14/2009 8:23:12 PM System Uptime: 11/28/2010 9:34:34 AM (25 hours ago)
A: is Removable C: is FIXED (FAT32) - 20 GiB total, 0.796 GiB free. D: is FIXED (NTFS) - 40 GiB total, 35.039 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318} Description: Communications Port Device ID: ACPI\PNP0501\1 Manufacturer: (Standard port types) Name: Communications Port (COM1) PNP Device ID: ACPI\PNP0501\1 Service: Serial
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318} Description: Communications Port Device ID: ACPI\PNP0501\2 Manufacturer: (Standard port types) Name: Communications Port (COM2) PNP Device ID: ACPI\PNP0501\2 Service: Serial
7-Zip 4.42 Ad-Aware Email Scanner for Outlook Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Flash Player 9 ActiveX Adobe Reader 9.3.4 Adobe Shockwave Player 11.5 Age of Empires III Age of Empires III - The WarChiefs Trial AnswerWorks 5.0 English Runtime Apple Application Support Apple Mobile Device Support Apple Software Update Avira AntiVir Personal - Free Antivirus Battlecraft Vietnam Battlefield Vietnam(TM) Battlefield Vietnam: WW2 Mod BlazeDVD 6.0 Carbonite Corel Paint Shop Pro X Crystal Reports Basic Runtime for Visual Studio 2008 DirectX Media Runtime 5.1 ERUNT 1.1j FoxyTunes for Firefox GTK+ Runtime 2.14.7 rev a (remove only) HedgeBuilders Internet Filtering HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB909394) Hotfix for Windows XP (KB935448) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) iTunes Java Auto Updater Java(TM) 6 Update 22 Medal of Honor Allied Assault Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft ActiveSync Microsoft Application Error Reporting Microsoft Motocross Madness 2 Trial Microsoft Office 2000 SR-1 Disc 2 Microsoft VC9 runtime libraries Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6 Service Pack 2 (KB954459) Nero Suite NVIDIA Drivers Quicken 2009 QuickTime Realtek High Definition Audio Driver Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB944338-v2) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971032) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Software Update for Web Folders SpeedFan (remove only) Tweakui Powertoy for Windows XP Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 W541U Window Washer Windows Genuine Advantage Notifications (KB905474) Windows Presentation Foundation XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
11/27/2010 3:37:00 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. . 11/27/2010 3:37:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Test\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. . 11/27/2010 3:37:00 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system. 11/24/2010 12:41:04 PM, error: RemoteAccess [20106] - Unable to add the interface {90CF6FD2-AC1C-4A44-9C7E-D5097E8F926B} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function. 11/24/2010 12:41:02 PM, error: Service Control Manager [7000] - The XAMPP Service service failed to start due to the following error: The system cannot find the path specified. 11/24/2010 12:41:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/24/2010 12:41:01 PM, error: Service Control Manager [7000] - The TrackerCam Video Capture Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 11/24/2010 12:41:01 PM, error: Service Control Manager [7000] - The mysql service failed to start due to the following error: The system cannot find the path specified. 11/24/2010 12:41:01 PM, error: Service Control Manager [7000] - The Apache2.2 service failed to start due to the following error: The system cannot find the path specified. 11/24/2010 12:41:00 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 5:31:30 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 5:31:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 3:31:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 3:31:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 3:00:16 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running. 11/23/2010 2:59:16 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 11/23/2010 2:31:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 2:31:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 2:01:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/23/2010 2:01:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
To begin, we will use TaskManager first to stop a process called "hotfix.exe" 1. Open TaskManager Ctrl+Alt+Del), scroll down through the list of running processes and left-click once on the hotfix.exe process if it is listed.
2. After hotfix.exe process is highlighted, click on the End Process button. When you click this button, Windows will ask if you are sure you want to terminate the process. Click the Yes button to terminate it. If not listed just continue with the rest of these instructions.ThinkPoint will now be terminated and you will be at a blank screen with Task Manager running
3. Now click on the File menu >select New Task (Run...) from the menu.
4. When the Create New Task prompt appears, type explorer.exe into the Open: field and press the OK button. After a minute or so you should be back at your Windows desktop.
5. Now that your desktop has returned, the first thing we have to do is fix your Windows Registry Shell value. If we do not fix this entry and hotfix.exe is deleted, your Windows desktop will not be displayed the next time you reboot.
To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as. Shell.reg Download Link: http://download.bleepingcomputer.com/reg/shell.reg
6. Once Shell.reg has been downloaded, locate it on your desktop and double-click on it. When Windows asks if you would like the data to be merged, please allow it to do so.
7. Please download Rkill by Grinler from here Rkill and save it to your desktop. If that does not work try this alternate Link
Double-click on the Rkill desktop icon to run the tool in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs.
Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, please ignore it, and run rkill.com again. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it.
Therefore, please run rkill quite a few times until the malware is no longer running. You will then be able to proceed with the rest of the instructions below.
*NOTE: A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
Do not reboot your computer after running rkill as the malware programs will start again.
8. Now you should download Malwarebytes' Anti-Malware, or MBAM, from one of the following locations and save it to your desktop:
9. Once downloaded, close all programs and Windows on your computer, including this one.
10. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
11. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
12. As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: Malwarebytes Anti-Malware
13. When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
14. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded. MBAM will now start and you will be at the main program screen.
15.Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
16. Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer for Security Tool related files.
17. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When the scan is finished a message box will appear.
18. You should click on the OK button to close the message box and continue with the malware removal removal process.
19. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
20. A screen displaying all the malware that the program found will be shown.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Please post that log in your next reply here along with a fresh HijackThis log. Please let me know why you have not updated to XP SP3 or IE 8. Both were offered quite a while ago to XP users.
You can now exit the MBAM program.
* Due to the fact that this infection deletes certain MalwareBytes' files, and we had to work around this, if you wish to continue using MalwareBytes' Anti-Malware, which we suggest you do, then you should uninstall and then install it again so that the files are created properly.
To begin, we will use TaskManager first to stop a process called "hotfix.exe" 1. Open TaskManager Ctrl+Alt+Del), scroll down through the list of running processes and left-click once on the hotfix.exe process if it is listed.
5. Now that your desktop has returned, the first thing we have to do is fix your Windows Registry Shell value. If we do not fix this entry and hotfix.exe is deleted, your Windows desktop will not be displayed the next time you reboot.
It is not on the list. Does that mean it is deleted? What should I do here?
Due to the lack of feedback this topic is closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Other members who need assistance please start your own topic in a new thread. Thanks!
The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Bugbatter
3 Apprentice
•
20.5K Posts
0
November 28th, 2010 16:00
Hi cofeeiv.
Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. *Please note also that not all of our tools work on 64-bit systems, so we may be limited in our procedures.
* The presence of windows error codes may indicate hardware problems and could limit the success of infection removal.
- Download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)- Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)- Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)- Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).Let me know after you have done that, so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
cofeeiv
4 Posts
0
November 29th, 2010 06:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
November 29th, 2010 07:00
We need to see some additional information about what is happening in your machine.
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
cofeeiv
4 Posts
0
November 29th, 2010 09:00
DDS:
DDS (Ver_10-11-27.01) - FAT32x86
Run by Test at 10:17:09.06 on Mon 11/29/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1254 [GMT -7:00]
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINNT\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Nero\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\WgaTray.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Nero\InCD\InCD.exe
C:\Program Files\S4F\Filter7.exe
C:\WINNT\RTHDCPL.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Documents and Settings\Test\Local Settings\Temp\F4.tmp\MBR.DAT
C:\Documents and Settings\Test\My Documents\Downloads\dds.pif
============== Pseudo HJT Report ===============
uStart Page = hxxp://justih.org/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://searchbox.digsby.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
{3fe9f275-8928-4c86-a45f-1dc706fd68bc}
BHO: {57e57055-68c8-4fc0-aa94-d13742f43519} -
BHO: {62987c79-ba9b-42f2-baeb-65e471d363c9} -
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FF344242-A1AF-4343-A223-FC3DA42990C8} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRunOnce: [Shockwave Updater] c:\winnt\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/gamelanding/driftnburn365.jsp"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [LoadQM] loadqm.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [InCD] c:\program files\nero\incd\InCD.exe
mRun: [Bubbles] "c:\program files\bubbles\Bubbles.exe" -startup
mRun: [S4F] c:\program files\s4f\Filter7.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N
mExplorerRun: [GEORGE] .vbe
StartupFolder: c:\docume~1\test\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\speedf~1.lnk - c:\program files\speedfan\speedfan.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
LSP: c:\winnt\system32\wins4f.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: geBssstt - geBssstt.dll
Notify: ljjjhfg - ljjjhfg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 c:\winnt\system32\ssqQgFVn
Hosts: 64.13.251.109 christophersignaturepools.com
Hosts: 69.163.189.150 higherpoweraviation.com
============= SERVICES / DRIVERS ===============
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-27 267944]
R2 avgntflt;avgntflt;c:\winnt\system32\drivers\avgntflt.sys [2010-2-17 61960]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2010-3-26 598856]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-27 11608]
S2 Apache2.2;Apache2.2;
S2 trackcam;TrackerCam Video Capture Driver;c:\winnt\system32\drivers\trackcam.sys [2009-3-21 77760]
S2 XAMPP;XAMPP Service;
S3 InCDFat;Ahead InCDFat File System Driver;c:\winnt\system32\drivers\InCDFat.sys [2007-11-28 134144]
S3 s3m;s3m;c:\winnt\system32\drivers\s3m.sys [2007-11-7 166720]
=============== Created Last 30 ================
2010-11-29 17:11:32 -------- d--h--w- c:\winnt\PIF
2010-11-28 00:56:09 388096 ----a-r- c:\docume~1\test\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-28 00:56:08 -------- d-----w- c:\program files\Trend Micro
2010-11-27 23:16:00 472808 ----a-w- c:\winnt\system32\deployJava1.dll
2010-11-27 22:41:44 -------- d-----w- c:\docume~1\test\applic~1\Avira
2010-11-27 22:38:14 -------- d-----w- c:\program files\Avira
2010-11-27 22:38:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-11-26 16:55:24 -------- d-sh--w- C:\FOUND.000
2010-11-26 15:43:09 25856 ----a-w- c:\winnt\system32\drivers\usbprint.sys
2010-11-26 15:43:09 25856 ----a-w- c:\winnt\system32\dllcache\usbprint.sys
2010-11-21 05:16:43 -------- d-----w- c:\documents and settings\test\My Docum
2010-11-19 23:04:38 -------- d-----w- c:\program files\Carbonite
2010-11-19 23:04:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Carbonite
2010-11-19 22:46:20 -------- d-----w- c:\program files\common files\AnswerWorks 5.0
2010-11-19 22:46:18 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
2010-11-19 22:46:18 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
2010-11-19 22:46:18 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
2010-11-19 22:46:18 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
2010-11-19 22:46:18 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
2010-11-19 22:46:18 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
2010-11-19 22:46:18 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
2010-11-19 22:46:11 3839360 ----a-w- c:\winnt\system32\cdintf300.dll
2010-11-19 22:46:05 -------- d-----w- c:\docume~1\test\applic~1\Intuit
2010-11-19 22:45:59 -------- d-----w- c:\program files\common files\Intuit
2010-11-19 22:45:58 -------- d-----w- c:\program files\Quicken
2010-11-17 15:24:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit
==================== Find3M ====================
2010-11-04 17:23:52 900 --sha-w- c:\winnt\system32\KGyGaAvL.sys
2010-09-15 09:29:50 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2010-09-09 17:39:24 76 ----a-w- c:\winnt\SOS.SYS
2010-09-07 17:37:44 14 ----a-w- c:\winnt\system32\SysInfo.dll
1999-10-20 22:31:16 1703 ----a-w- c:\program files\layout.bin
1999-08-09 18:54:32 24576 ----a-w- c:\program files\AR_KeyRun.exe
1998-10-27 20:06:48 27648 ----a-w- c:\program files\_ISDel.exe
============= FINISH: 10:22:21.01 ===============
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTACH:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-27.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/14/2009 8:23:12 PM
System Uptime: 11/28/2010 9:34:34 AM (25 hours ago)
Motherboard: WinFast | | MCP61M2MA
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2611/201mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2611/201mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (FAT32) - 20 GiB total, 0.796 GiB free.
D: is FIXED (NTFS) - 40 GiB total, 35.039 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ACPI\PNP0501\1
Manufacturer: (Standard port types)
Name: Communications Port (COM1)
PNP Device ID: ACPI\PNP0501\1
Service: Serial
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ACPI\PNP0501\2
Manufacturer: (Standard port types)
Name: Communications Port (COM2)
PNP Device ID: ACPI\PNP0501\2
Service: Serial
==== System Restore Points ===================
RP409: 11/27/2010 5:56:08 PM - Installed HiJackThis
RP410: 11/28/2010 6:05:30 PM - System Checkpoint
==== Installed Programs ======================
7-Zip 4.42
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Age of Empires III
Age of Empires III - The WarChiefs Trial
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Battlecraft Vietnam
Battlefield Vietnam(TM)
Battlefield Vietnam: WW2 Mod
BlazeDVD 6.0
Carbonite
Corel Paint Shop Pro X
Crystal Reports Basic Runtime for Visual Studio 2008
DirectX Media Runtime 5.1
ERUNT 1.1j
FoxyTunes for Firefox
GTK+ Runtime 2.14.7 rev a (remove only)
HedgeBuilders Internet Filtering
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
iTunes
Java Auto Updater
Java(TM) 6 Update 22
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Motocross Madness 2 Trial
Microsoft Office 2000 SR-1 Disc 2
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero Suite
NVIDIA Drivers
Quicken 2009
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Software Update for Web Folders
SpeedFan (remove only)
Tweakui Powertoy for Windows XP
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
W541U
Window Washer
Windows Genuine Advantage Notifications (KB905474)
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
11/27/2010 3:37:00 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
11/27/2010 3:37:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Test\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
11/27/2010 3:37:00 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
11/24/2010 12:41:04 PM, error: RemoteAccess [20106] - Unable to add the interface {90CF6FD2-AC1C-4A44-9C7E-D5097E8F926B} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function.
11/24/2010 12:41:02 PM, error: Service Control Manager [7000] - The XAMPP Service service failed to start due to the following error: The system cannot find the path specified.
11/24/2010 12:41:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/24/2010 12:41:01 PM, error: Service Control Manager [7000] - The TrackerCam Video Capture Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/24/2010 12:41:01 PM, error: Service Control Manager [7000] - The mysql service failed to start due to the following error: The system cannot find the path specified.
11/24/2010 12:41:01 PM, error: Service Control Manager [7000] - The Apache2.2 service failed to start due to the following error: The system cannot find the path specified.
11/24/2010 12:41:00 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 5:31:30 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 5:31:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 3:31:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 3:31:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 3:00:16 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running.
11/23/2010 2:59:16 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/23/2010 2:31:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 2:31:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 2:01:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 2:01:12 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
Bugbatter
3 Apprentice
•
20.5K Posts
0
November 29th, 2010 10:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
November 29th, 2010 10:00
To begin, we will use TaskManager first to stop a process called "hotfix.exe"
1. Open TaskManager Ctrl+Alt+Del), scroll down through the list of running processes and left-click once on the hotfix.exe process if it is listed.
2. After hotfix.exe process is highlighted, click on the End Process button. When you click this button, Windows will ask if you are sure you want to terminate the process. Click the Yes button to terminate it. If not listed just continue with the rest of these instructions.ThinkPoint will now be terminated and you will be at a blank screen with Task Manager running
3. Now click on the File menu >select New Task (Run...) from the menu.
4. When the Create New Task prompt appears, type explorer.exe into the Open: field and press the OK button. After a minute or so you should be back at your Windows desktop.
5. Now that your desktop has returned, the first thing we have to do is fix your Windows Registry Shell value. If we do not fix this entry and hotfix.exe is deleted, your Windows desktop will not be displayed the next time you reboot.
To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as.
Shell.reg Download Link: http://download.bleepingcomputer.com/reg/shell.reg
6. Once Shell.reg has been downloaded, locate it on your desktop and double-click on it. When Windows asks if you would like the data to be merged, please allow it to do so.
7. Please download Rkill by Grinler from here Rkill and save it to your desktop. If that does not work try this alternate Link
- Double-click on the Rkill desktop icon to run the tool in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs.
- If using Vista, right-click on it and Run As Administrator.
Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, please ignore it, and run rkill.com again. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it.Therefore, please run rkill quite a few times until the malware is no longer running. You will then be able to proceed with the rest of the instructions below.
*NOTE: A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
Do not reboot your computer after running rkill as the malware programs will start again.
8. Now you should download Malwarebytes' Anti-Malware, or MBAM, from one of the following locations and save it to your desktop:
Malwarebytes Anti-Malware
alternate download link 1
alternate download link 2
9. Once downloaded, close all programs and Windows on your computer, including this one.
10. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
11. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
12. As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:
Malwarebytes Anti-Malware
13. When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
14. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded. MBAM will now start and you will be at the main program screen.
15.Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
16. Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer for Security Tool related files.
17. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear.
18. You should click on the OK button to close the message box and continue with the malware removal removal process.
19. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
20. A screen displaying all the malware that the program found will be shown.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
Please post that log in your next reply here along with a fresh HijackThis log. Please let me know why you have not updated to XP SP3 or IE 8. Both were offered quite a while ago to XP users.
You can now exit the MBAM program.
* Due to the fact that this infection deletes certain MalwareBytes' files, and we had to work around this, if you wish to continue using MalwareBytes' Anti-Malware, which we suggest you do, then you should uninstall and then install it again so that the files are created properly.
cofeeiv
4 Posts
0
November 29th, 2010 10:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 2nd, 2010 08:00
Due to the lack of feedback this topic is closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Other members who need assistance please start your own topic in a new thread. Thanks!
The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.