Log'N'Rock: New vista computer has a mind of its own [RESOLVED] - Log'N'Rock

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

New vista computer has a mind of its own [RESOLVED]

#1 User is offline   blondeme Icon

  • Garage rocker
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 05-July 09

Posted 05 July 2009 - 06:13 AM

I started with some help on another site and they have advised me to come here and post this Hijackthis log.

I have a new computer:Windows Vista Home Edition sp1...about a week old.2GB Ram, 32 bit, AMD Phenom 8450.All programs are new and up to date.Nvidia GeForce9600.Automatic updates are enabled.

I cant seem to open Malwarebytes(downloaded and installed with windows defender turned off and uec(?) also disabled).Cant open S&D free version (although clicking the desktop icon it tries to load then an explorer popup says Spybot Search and Destroy has stopped working an error has caused this).and AVG free I got an error trying to install AVG and it is not installed
But no matter what i do they will not open let alone scan.
I try to go to sites and the Firefox browser redirects me to google(not everytime but specially if i try to go to something related to malware or spyware).If i do manage to get to a site i cant download any other antispyware etc programs as i get redirected back to google usually.I use Firefox 3.0.11
Pressing F8 on boot up just loads me up to the regular desktop...so cant enter safe mode.
Using windows explorer often it is saying it is not responding or i get the IE pop up with things like freelotto.com in the browser(and i don't even click a link to open IE 8).I clicked a link in the forums vista here and it went to AVG Free page but that did not look like the regular site i already went to...i was trying to go to Malwarebytes i think.
I just checked my control panel minutes ago and that has changed to very large icons.
Its possible my teenager may have downloaded something...whatever it is its fast.
Adaware (free version) seems to work but comes up with nothing in the fast scan nor the deeper scan mode...only a handful of cookies it deleted.
Trendmicro housecalls, just opened IE to go to this site and got to the scanner.It updated but did not get to scan .I turned off any programs that may have inrterfered with hijackthis(which i managed to download but did have to rename the icon as it refused to open).
I managed to have a-squared to scan and it found 5 items and deleted them...but after rebooting and going online after about 10 minutes i got a blue screen come up saying something about an error so it will shut down the computer.
It wasn't on long enough to read everything on screen.

It rebooted and i was in my documents then went online once again and after around 20 minutes while in the middle of typing the post elsewhere i got this blue screen once again.
1. Try to turn on Windows again. Right-click "My Computer">Properties>Advanced System Settings. Under "Startup and Recovery", click Settings. Uncheck the box befor "Automatically Restart" on system failure.( i did this step then downloaded hijackthis.)

I am stumped.
Computer worked great until yesterday.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:51 PM, on 5/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Richter\Downloads\igedit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - 0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - (no file)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O13 - Gopher Prefix:
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.micro...gWebControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9FEAB50-D29A-4A61-BA9F-8997AC759531}: NameServer = 85.255.112.81,85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.81,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.81,85.255.112.148
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\USERS\RICHTER\DESKTOP\A2USB\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6257 bytes


Thank you,
ps I am still trying to understand how Vista works as i am used to winxp pro.
0

#2 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 05 July 2009 - 09:12 PM

Hi blondeme... :welcome:

One of the security features of Vista is the need to right click a file to "Run as Administrator"..
This grants elevated security priveliges to the program to enable it to run without problems.

Right click on MBAM and select "Run as Administrator"...

If that doesn't work, try renaming MBAM.exe..
Go to the folder C:\Program Files\MalwareBytes Anti-Malware and find the file: MBAM.exe
Right click on the file, select Rename and type in a new name.. call it cleaner.exe or something similar.. then try again.. (Don't forget the "Run as Administrator" bit)..

Please post back the MBAM log and a fresh HJT log.. or let me know if it doesn't run at all in which case we will try something else!

Thanks..
Fred.. :thumbsup:
0

#3 User is offline   blondeme Icon

  • Garage rocker
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 05-July 09

Posted 06 July 2009 - 05:45 AM

Thanks Fred...I had to change name as you suggested but it worked!
This is the first scan.....

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

6/07/2009 1:18:52 PM
mbam-log-2009-07-06 (13-18-52).txt

Scan type: Quick Scan
Objects scanned: 72507
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.81,85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f9feab50-d29a-4a61-ba9f-8997ac759531}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.81,85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.81,85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f9feab50-d29a-4a61-ba9f-8997ac759531}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.81,85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.81,85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f9feab50-d29a-4a61-ba9f-8997ac759531}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.81,85.255.112.148 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

I allowed it to reboot so this is the second scan....
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

6/07/2009 1:57:27 PM
mbam-log-2009-07-06 (13-57-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 185107
Time elapsed: 24 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

This was a deep scan and it rebooted again.
I could not reconnect to the internet upon reboot though but managed to work out to get another server so i could.
Not sure if there is enough space so will follow up with separate post now for the hijack this log.
0

#4 User is offline   blondeme Icon

  • Garage rocker
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 05-July 09

Posted 06 July 2009 - 05:57 AM

Fresh Hijackthis Log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:36 PM, on 6/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\explorer.exe
C:\Users\Richter\Downloads\igedit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - 0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - (no file)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O13 - Gopher Prefix:
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.micro...gWebControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\USERS\RICHTER\DESKTOP\A2USB\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5982 bytes
0

#5 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 06 July 2009 - 10:40 AM

Hi again blondeme...

Run HijackThis
Click on do a system scan only
Place a check next to these lines(if still present)

R3 - URLSearchHook: (no name) - 0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - (no file)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Then close all windows and browsers except HijackThis and click Fix Checked


Do you recognise this file name as I can find little or no information on it??
C:\Users\Richter\Downloads\igedit.exe<< possibly to do with online gaming maybe??

If not:
Upload a File to Jotti
Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\Users\Richter\Downloads\igedit.exe
Click Open[/b](Please be patient as sometimes the server is busy and it can take a while).
Please let me know what the result is..

Then:
Please run the following scan:

BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Note: You will need to use Internet Explorer for this scan.

Finally:
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Please post back:
    Jotti result
    BitDefender log
    Security Check log


Let me know how things are running now?

Thanks..
Fred..
0

#6 User is offline   blondeme Icon

  • Garage rocker
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 05-July 09

Posted 06 July 2009 - 03:25 PM

All done.....and that file igedit? sorry that is hijack this i downloaded the first time - i just changed the name so i could use it as it wouldn't open.I downloaded a fresher copy to post here.


I am still having concerns with the computer but at least i haven't seen a blue screen since last night.

No need for Jotti so i didnt do that scan.

Bit defender results:I also forgot i had the external HDD still attached but looks like im glad i did- i had the old backups from the old windows xp computer on that and still had not deleted everything yet.

BitDefender Online Scanner







Scan report generated at: Tue, Jul 07, 2009 - 00:20:34









Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;















Statistics

Time


01:52:00

Files


378151

Folders


20832

Boot Sectors


0

Archives


15998

Packed Files


15816







Results

Identified Viruses


10

Infected Files


14

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


14







Engines Info

Virus Definitions


3654256

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


45

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

E:\$RECYCLE.BIN\S-1-5-21-3580929821-1151837395-4290193385-1000\$RCRBDEE\Astro Avenger 2 (PC) (REFLEXIVE GAMES) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\Astro Avenger 2\AstroAvenger2.exe


Infected with: Trojan.Generic.1777771

E:\$RECYCLE.BIN\S-1-5-21-3580929821-1151837395-4290193385-1000\$RCRBDEE\Astro Avenger 2 (PC) (REFLEXIVE GAMES) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\Astro Avenger 2\AstroAvenger2.exe


Deleted

E:\$RECYCLE.BIN\S-1-5-21-3580929821-1151837395-4290193385-1000\$RCRBDEE\Astro Avenger 2 (PC) (REFLEXIVE GAMES) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\Astro Avenger 2.rar=>Astro Avenger 2\AstroAvenger2.exe


Infected with: Trojan.Generic.1777771

E:\$RECYCLE.BIN\S-1-5-21-3580929821-1151837395-4290193385-1000\$RCRBDEE\Astro Avenger 2 (PC) (REFLEXIVE GAMES) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\Astro Avenger 2.rar=>Astro Avenger 2\AstroAvenger2.exe


Deleted

E:\$RECYCLE.BIN\S-1-5-21-3580929821-1151837395-4290193385-1000\$RCRBDEE\Astro Avenger 2 (PC) (REFLEXIVE GAMES) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\Astro Avenger 2.rar


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\ACT All-In-One Suite 2006\keygen.exe


Infected with: Trojan.Generic.552834

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\ACT All-In-One Suite 2006\keygen.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 0)


Infected with: Trojan.Generic.216296

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 0)


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 8)


Detected with: Application.RealSpy.B

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 8)


Disinfection failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 8)


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 15)


Infected with: Trojan.Generic.1419635

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)=>(Instyler Module 15)


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Real.Spy.Monitor.v2.39.Incl.Keygen-HERETiC\NewSpy.exe=>(Instyler o)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Spector eBlaster v5.0.1082\keygen.exe


Infected with: Trojan.Packed.5620

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\Spector eBlaster v5.0.1082\keygen.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\SpectorPro v5.0.1141\Spector Pro 5.0\sp50setup.exe


Infected with: Trojan.Generic.1888031

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\First Aid Kit - Parental Control 13in1 (AIO)\prg\AutoPlay\Docs\SpectorPro v5.0.1141\Spector Pro 5.0\sp50setup.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\specpro6\Spector Pro v6 0 1201 pro v.rar=>Spector Pro v6 0 1201\Setup.exe


Infected with: Trojan.Generic.161629

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\specpro6\Spector Pro v6 0 1201 pro v.rar=>Spector Pro v6 0 1201\Setup.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\specpro6\Spector Pro v6 0 1201 pro v.rar


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\spector\Spector Pro 6 Build 1201 + Serial\sp60setup.exe=>(CAB Sfx r)=>file.exe


Infected with: Trojan.Generic.1941811

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\spector\Spector Pro 6 Build 1201 + Serial\sp60setup.exe=>(CAB Sfx r)=>file.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\spector\Spector Pro 6 Build 1201 + Serial\sp60setup.exe=>(CAB Sfx r)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\spector\Spector Pro 6 Build 1201 + Serial\sp60setup.exe=>(IExpress 0)=>file.exe


Infected with: Trojan.Generic.1941811

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\spector\Spector Pro 6 Build 1201 + Serial\sp60setup.exe=>(IExpress 0)=>file.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\spector\Spector Pro 6 Build 1201 + Serial\sp60setup.exe=>(IExpress 0)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\Spector Pro 6 Build 1201 + Serial.zip=>Spector Pro 6 Build 1201 + Serial/sp60setup.exe=>(CAB Sfx r)=>file.exe


Infected with: Trojan.Generic.1941811

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\Spector Pro 6 Build 1201 + Serial.zip=>Spector Pro 6 Build 1201 + Serial/sp60setup.exe=>(CAB Sfx r)=>file.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\Spector Pro 6 Build 1201 + Serial.zip=>Spector Pro 6 Build 1201 + Serial/sp60setup.exe=>(CAB Sfx r)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\Spector Pro 6 Build 1201 + Serial.zip=>Spector Pro 6 Build 1201 + Serial/sp60setup.exe=>(IExpress 0)=>file.exe


Infected with: Trojan.Generic.1941811

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\Spector Pro 6 Build 1201 + Serial.zip=>Spector Pro 6 Build 1201 + Serial/sp60setup.exe=>(IExpress 0)=>file.exe


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\Spector Pro 6 Build 1201 + Serial.zip=>Spector Pro 6 Build 1201 + Serial/sp60setup.exe=>(IExpress 0)


Update failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\The.Master.Genealogist.v6.09.000.WinALL.Cracked-NGEN\tmg6setup.exe=>wise0246


Infected with: Gen:Trojan.Heur.4201FE7B3A

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\The.Master.Genealogist.v6.09.000.WinALL.Cracked-NGEN\tmg6setup.exe=>wise0246


Disinfection failed

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\The.Master.Genealogist.v6.09.000.WinALL.Cracked-NGEN\tmg6setup.exe=>wise0246


Deleted

E:\Maxtor backup\MANDY-33A408689\C\Documents and Settings\Mandy\My Documents\My Programs\The.Master.Genealogist.v6.09.000.WinALL.Cracked-NGEN\tmg6setup.exe


Update failed





Next is the Security Results:

Results of screen317's Security Check version 0.98.4
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
ECHO is off.
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Ad-Aware
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Windows Defender MSASCui.exe
Windows Defender MsMpEng.exe is disabled!
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
Request Timed Out (Check Internet connection?)

Scan took 7 seconds.
`````````End of Log```````````



I also want to add i had those things disabled to do the tests although i still cannot get Spybot S and D to open nor work but i did see the teatimer in the systray(next to the clock) at one point.Adaware is still the only one to work that i had downloaded.And avg free i wanted to download but i couldnt even get to its site to do that one.And the exterior HDD doesn't look good either...
Thanks Fred
0

#7 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 07 July 2009 - 12:01 AM

Hi blondeme..

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
0

#8 User is offline   blondeme Icon

  • Garage rocker
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 05-July 09

Posted 07 July 2009 - 04:55 AM

I had to rename combofix as i could not open it.I named it icleanup.

I think the Microsoft Windows Recovery Console must have been installed already as i did not get any popup to tell me otherwise.

Heres the log:

ComboFix 09-07-06.02 - Richter 07/07/2009 14:07.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2046.1080 [GMT 9.5:30]
Running from: c:\users\Richter\Desktop\acleanup.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Richter\AppData\Roaming\inst.exe
c:\windows\system32\drivers\MSIVXvdepoevxrionytemwbtrxvmbfwswvwic.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXnauxxppcfsymvfasnpbwgsdjiciprtqi.dll
c:\windows\system32\MSIVXurnpxscnqipfqfbmqujdtbbtbybqerhj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 04:42 . 2009-07-07 04:42 -------- d-----w- c:\users\Richter\AppData\Local\temp
2009-07-06 12:39 . 2009-07-06 15:03 -------- d-----w- c:\windows\BDOSCAN8
2009-07-06 03:44 . 2009-07-06 03:44 -------- d-----w- c:\users\Richter\AppData\Roaming\Malwarebytes
2009-07-04 10:43 . 2009-07-04 11:57 -------- d-----w- c:\users\Richter\.housecall6.6
2009-07-04 08:03 . 2008-06-19 07:54 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-04 08:02 . 2009-07-04 08:02 -------- d-----w- c:\program files\Panda Security
2009-07-04 07:18 . 2009-06-17 01:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-04 07:17 . 2009-07-06 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 07:17 . 2009-07-04 07:17 -------- d-----w- c:\programdata\Malwarebytes
2009-07-04 07:17 . 2009-06-17 01:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 14:26 . 2009-07-06 09:34 -------- d-----w- c:\users\Richter\AppData\Roaming\The Master Genealogist v7
2009-07-03 14:26 . 2009-07-03 14:26 -------- d-----w- c:\programdata\The Master Genealogist v7
2009-07-03 14:01 . 2009-07-03 14:01 -------- d-----w- c:\program files\MagicISO
2009-07-03 12:23 . 2009-07-04 11:24 -------- d-----w- c:\users\Richter\AppData\Roaming\Vso
2009-07-03 12:23 . 2009-07-03 12:23 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-03 12:23 . 2009-07-03 12:23 47360 ----a-w- c:\users\Richter\AppData\Roaming\pcouffin.sys
2009-07-03 12:23 . 2007-03-18 12:07 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-07-03 12:23 . 2006-09-29 03:56 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-07-03 12:23 . 2006-09-29 03:55 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-07-03 12:23 . 2006-09-29 03:54 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-07-03 12:23 . 2006-05-20 07:46 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2009-07-03 12:23 . 2006-05-11 10:51 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2009-07-03 12:23 . 2002-12-09 17:50 102439 ----a-w- c:\windows\system32\sipr3260.dll
2009-07-03 12:23 . 2009-07-03 12:23 -------- d-----w- c:\program files\VSO
2009-07-02 07:21 . 2009-07-02 07:21 -------- d-----w- c:\users\Richter\AppData\Roaming\Media Player Classic
2009-07-02 07:20 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-07-02 07:20 . 2009-07-02 07:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-01 12:19 . 2009-07-06 09:32 -------- d-----w- c:\users\Richter\Tracing
2009-07-01 12:18 . 2006-11-29 03:36 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-07-01 12:16 . 2009-07-01 12:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-07-01 12:14 . 2009-07-01 12:14 -------- d-----w- c:\program files\Microsoft
2009-07-01 12:14 . 2009-07-01 12:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-01 12:14 . 2009-07-01 12:18 -------- d-----w- c:\program files\Windows Live
2009-07-01 12:14 . 2009-07-01 12:14 -------- d-----w- c:\windows\PCHEALTH
2009-07-01 12:12 . 2009-07-01 12:12 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-30 15:19 . 2009-07-04 07:01 -------- d-----w- c:\programdata\avg8
2009-06-30 15:14 . 2009-07-06 12:15 -------- d-----w- C:\etax2009
2009-06-30 08:33 . 2009-06-26 15:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-30 07:01 . 2009-06-30 07:01 -------- d-----w- c:\users\Richter\AppData\Local\Cooliris
2009-06-30 07:01 . 2009-04-17 07:28 954368 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-06-30 07:01 . 2009-04-17 07:28 344064 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-06-30 07:01 . 2009-04-17 07:28 103424 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-06-30 07:01 . 2009-04-17 07:28 71652 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\avutil-49.dll
2009-06-30 07:01 . 2009-04-17 07:28 65536 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-06-30 07:01 . 2009-04-17 07:28 4579328 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\cooliris18.dll
2009-06-30 07:01 . 2009-04-17 07:28 4534272 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-06-30 07:01 . 2009-04-17 07:28 131868 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\avformat-52.dll
2009-06-30 07:01 . 2009-04-17 07:28 1161626 ----a-w- c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\libs\avcodec-51.dll
2009-06-29 17:33 . 2009-06-29 17:33 -------- d-----w- c:\users\Richter\AppData\Local\ElevatedDiagnostics
2009-06-29 17:30 . 2009-06-29 17:30 -------- d-----w- c:\program files\Microsoft ATS
2009-06-28 15:25 . 2009-06-26 15:13 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-28 15:25 . 2009-07-03 15:24 84832 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-28 06:34 . 2009-06-28 06:35 -------- d-----w- c:\program files\Unlocker
2009-06-28 06:21 . 2009-06-28 06:21 -------- d-----w- c:\program files\AskBarDis
2009-06-28 06:09 . 2009-06-28 06:09 -------- d-----w- c:\users\Richter\AppData\Roaming\Foxit
2009-06-28 06:09 . 2009-06-28 06:09 -------- d-----w- c:\program files\Foxit Software
2009-06-28 05:45 . 2009-07-04 18:42 1 ----a-w- c:\users\Richter\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2009-06-28 05:44 -------- d-----w- c:\users\Richter\AppData\Roaming\OpenOffice.org
2009-06-27 08:26 . 2009-06-27 08:26 -------- d-----w- c:\program files\PFPortChecker
2009-06-27 01:35 . 2009-06-27 01:35 529224 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-26 18:05 . 2009-05-09 05:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-06-26 18:05 . 2009-05-09 05:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 17:37 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-26 17:37 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-26 17:37 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-26 17:37 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-26 17:37 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-26 17:37 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-26 17:37 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-26 17:31 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-26 17:31 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-26 17:31 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-26 17:31 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-26 17:31 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-26 16:35 . 2008-05-26 10:30 230912 ----a-w- c:\windows\system32\CNMLM9E.DLL
2009-06-26 15:23 . 2009-07-03 15:24 314712 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-26 15:22 . 2009-07-03 15:24 25440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-26 15:22 . 2009-06-26 15:22 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-26 15:22 . 2009-07-03 15:24 169312 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-26 15:22 . 2009-07-03 15:24 348496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-26 15:21 . 2009-07-03 15:24 298336 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-26 15:15 . 2009-07-03 15:24 1630560 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-26 15:14 . 2009-07-03 15:24 246128 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-26 15:13 . 2009-07-03 15:24 40288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-26 15:13 . 2009-06-26 15:13 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-26 15:12 . 2009-07-03 15:24 85352 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-26 15:12 . 2009-07-03 15:24 664424 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-26 15:11 . 2009-07-03 15:24 563064 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-26 15:11 . 2009-07-03 15:23 566632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-26 15:10 . 2009-07-03 15:23 2352968 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-26 15:09 . 2009-07-03 15:23 629072 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-26 15:08 . 2009-07-03 15:23 520024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-26 15:08 . 2009-07-03 15:23 1029456 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-26 13:59 . 2009-06-26 13:59 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-26 13:59 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-26 13:59 . 2009-06-26 15:23 -------- d-----w- c:\programdata\Lavasoft
2009-06-26 13:59 . 2009-06-26 13:59 -------- d-----w- c:\program files\Lavasoft
2009-06-26 13:57 . 2009-06-26 13:57 -------- d-----w- c:\program files\CCleaner
2009-06-26 13:56 . 2009-06-30 08:56 -------- d-----w- c:\users\Richter\AppData\Local\Apple Computer
2009-06-26 13:56 . 2009-06-26 13:56 -------- d-----w- c:\users\Richter\AppData\Roaming\Apple Computer
2009-06-26 13:56 . 2009-06-28 15:25 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-26 13:56 . 2009-03-19 07:02 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-26 13:56 . 2008-04-17 02:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-26 13:55 . 2009-06-26 13:55 -------- d-----w- c:\program files\iPod
2009-06-26 13:55 . 2009-06-26 13:56 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-26 13:55 . 2009-06-26 13:56 -------- d-----w- c:\program files\iTunes
2009-06-26 13:54 . 2009-06-26 13:54 -------- d-----w- c:\program files\Bonjour
2009-06-26 13:53 . 2009-06-26 13:54 -------- d-----w- c:\program files\QuickTime
2009-06-26 13:53 . 2009-06-26 13:55 -------- d-----w- c:\programdata\Apple Computer
2009-06-26 13:53 . 2009-06-26 13:53 -------- d-----w- c:\users\Richter\AppData\Local\Apple
2009-06-26 13:53 . 2009-06-26 13:53 -------- d-----w- c:\program files\Apple Software Update
2009-06-26 13:49 . 2009-06-26 13:55 -------- d-----w- c:\program files\Common Files\Apple
2009-06-26 13:49 . 2009-06-26 13:49 -------- d-----w- c:\programdata\Apple
2009-06-26 13:45 . 2009-06-26 13:45 -------- d-----w- c:\program files\JRE
2009-06-26 13:44 . 2009-06-26 13:45 -------- d-----w- c:\program files\OpenOffice.org 3
2009-06-26 13:42 . 2009-06-26 13:42 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 13:42 . 2009-06-26 13:42 -------- d-----w- c:\program files\Java
2009-06-26 13:13 . 2009-06-26 13:13 -------- d-----w- c:\program files\Paint.NET
2009-06-26 13:10 . 2009-07-03 14:06 -------- d-----w- c:\users\Richter\AppData\Local\Paint.NET
2009-06-26 13:10 . 2009-06-26 13:10 -------- d-----w- c:\users\Richter\AppData\Roaming\ImgBurn
2009-06-26 13:09 . 2009-06-26 13:10 -------- d-----w- c:\program files\ImgBurn
2009-06-26 12:30 . 2009-07-06 04:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-26 12:30 . 2009-07-05 09:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-26 04:16 . 2009-06-26 04:16 -------- d-----w- c:\users\Richter\AppData\Local\Thunderbird
2009-06-26 04:16 . 2009-06-26 04:16 -------- d-----w- c:\users\Richter\AppData\Roaming\Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 14:15 . 2009-06-24 01:58 53952 ----a-w- c:\users\Richter\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-03 14:11 . 2009-07-03 14:10 -------- d-----w- c:\program files\The Master Genealogist v7
2009-06-26 16:36 . 2009-06-26 16:36 -------- d--h--w- c:\programdata\CanonBJ
2009-06-25 15:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-25 15:39 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-24 03:32 . 2009-06-24 01:58 680 ----a-w- c:\users\Richter\AppData\Local\d3d9caps.dat
2009-06-24 02:15 . 2009-06-24 02:06 -------- d-----w- c:\program files\Realtek
2009-06-24 02:15 . 2009-06-24 02:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 02:06 . 2009-06-24 02:06 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-06-24 02:06 . 2009-06-24 02:06 319488 ----a-w- c:\windows\HideWin.exe
2009-06-24 02:06 . 2009-06-24 02:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-24 02:06 . 2009-06-24 02:06 -------- d-----w- c:\program files\Browser Configuration Utility
2009-06-24 00:58 . 2009-06-24 00:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-05 04:27 . 2009-06-05 04:27 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-04-23 12:42 . 2009-06-24 04:10 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-24 04:11 2033152 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-11 13531680]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-11 92704]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-26 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-03 520024]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-08-27 6281760]

c:\users\Richter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C1D9013E-BAD5-4AAE-A2B0-412D999947F5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{D0891739-CBF7-4740-B4EC-E6C778E8C3BB}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{4D2EB84F-0FF7-4192-81EE-E06AC40C65C9}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2E314ABF-4D96-4AED-B4A2-CBDD4DCADA62}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{380E51E5-BC0A-4844-9FCD-29C49D5B2A05}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3F30F9F4-E3AD-44AD-8AD4-FAF6444AC000}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{F76B68CA-19E8-4937-B94A-E2A80952E36D}c:\\program files\\pfportchecker\\pfportchecker.exe"= UDP:c:\program files\pfportchecker\pfportchecker.exe:PFPortchecker by portforward.com helps check if your ports are properly forwarded.
"UDP Query User{F9CD29F8-51DB-41AB-9905-9FEA9419D4EC}c:\\program files\\pfportchecker\\pfportchecker.exe"= TCP:c:\program files\pfportchecker\pfportchecker.exe:PFPortchecker by portforward.com helps check if your ports are properly forwarded.
"{B22BF15C-9DD3-4CB6-99DD-B7EA727790BB}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{74E0EE5F-6BC1-4545-A266-14587624FBDF}"= UDP:52635:Utorrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/06/2009 12:55 AM 64160]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [4/07/2009 5:33 PM 28544]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [26/06/2009 10:00 PM 1153368]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [10/03/2009 4:36 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mywestnet.com.au/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mywestnet.com.au/
FF - component: c:\users\Richter\AppData\Roaming\Mozilla\Firefox\Profiles\kmvfdlx5.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 14:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-07 14:13
ComboFix-quarantined-files.txt 2009-07-07 04:43

Pre-Run: 810,457,006,080 bytes free
Post-Run: 812,733,022,208 bytes free

248 --- E O F --- 2009-07-03 05:57
0

#9 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 07 July 2009 - 11:49 PM

Hi blondeme..
That log is looking pretty good to me..

As for the External HDD, It appears to be full of cracks and keygens which are infected!
That is probably the source of this infection, I suggest you salvage anything you absolutely need.. ie. photo's or similar stuff then reformat it.
Do not try to save any .exe files or programs from there as you will probably re=infect the computer if you do!

What issues / symptoms are you still experiencing if any??

Thanks..
Fred...
0

#10 User is offline   blondeme Icon

  • Garage rocker
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 05-July 09

Posted 14 July 2009 - 05:11 AM

G'day again Fred,

I thought i would give myself a couple of days to see if there are still issues or not before replying...

Everything looks back to normal i think.

Apart from that external HDD - which i have not plugged in as yet - been too scared to!

Nothing much to salvage from that except to check if i have all the family history stuff - i may not have all of those yet.

Thanks Fred and have a great day!

blondeme
0

#11 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 14 July 2009 - 10:42 AM

Hi blondeme..

1:
Please go to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u It needs to be there.

The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.


2:
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • On the pulldown-menu, choose Windows as your platform.
  • Check "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue.
  • Click on the link under Windows Offline Installation to download the file and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: Posted Image
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Now to clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked
    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


3:
http://www.update.microsoft.com
Note: SP2 is out for Vista, you are still using SP1 which is out of date.

Fred...
0

#12 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 21 July 2009 - 12:29 PM

Since this issue appears to be resolved, this Topic is now closed. Should you need this thread reopened, please PM me or another Staff member, including the address of this thread and we will reopen it for you. :)
0
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users