[angelbear]

hello
i have windows vista and Avira anti-virus
when i run the Avira, about 2/3 of the way thru it freezes
the mouse does not work or CTRL/ALT/DEL either
the only way to get it working again is to hold the power button down until the system shuts down and then restart it.
ive tried re installing the Avira and same thing happens
ive run Spybot and it found 80+ issues
re scanned for viruses and it still freezes
computer is running very slow

im new to this site and not very computer literate
any advice would be appreciated

Edited by angelbear, 10 October 2009 - 06:40 AM.

[Advertisements]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.

• Click on the Download EXE button.
• The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
• Take note of the name of the file (please don't change it), and then save it directly to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
• Click Ok.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it to a location where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

[Transience]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.

• Click on the Download EXE button.
• The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
• Take note of the name of the file (please don't change it), and then save it directly to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
• Click Ok.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it to a location where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

[angelbear]

Thanks so much for your reply. I have been running the GMER rootkit since yesterday afternoon. It still isn't finished yet. I thought the computer had frozen up again but the file names are still changing at the bottom, very slowly. The mouse is very laggy and skips when i try to use it. Should I be doing something else or just let it run?

[Transience]

Can you tell what it's scanning that is taking it so long? If so try running it again without that section checked when selecting what to scan, there's no reason it should take so long to scan.

If GMER continues to give you problems skip it for the time being and go ahead with running ComboFix.

Cheers,
Dave

[angelbear]

Hi Dave

The program finally finished. I copied to my desktop but now my computer is even slower than ever. It is doing things I've never seen before, telling me my security options are wrong or something. Anyway, I've just shut it down and restarted and hopefully I can get to the file to copy it to you. I will try running the Combo Fix next if the computer reboots ok.
Thanks!
Kelly

[angelbear]

here is the result of the combo fix scan that ran:

i've never done this before. it says upload failed. you are not permitted to upload this type of file.

what did i do wrong?

kelly

[angelbear]

it won't allow me to upload the rootkit file either

(sigh)

[Transience]

Don't upload the logs as attachments to your posts, just copy and paste the logs into your replies for me

[angelbear]

ok let me try that.....


GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-12 10:07:31
Windows 6.0.6001 Service Pack 1
Running: uhpkevjv.exe; Driver: C:\Users\Kelly\AppData\Local\Temp\kxldypog.sys


---- System - GMER 1.0.15 ----

SSDT 8AF616B4 ZwCreateThread
SSDT 8AF616A0 ZwOpenProcess
SSDT 8AF616A5 ZwOpenThread
SSDT 8AF616AF ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 411 81C7CA08 4 Bytes [B4, 16, F6, 8A]
.text ntoskrnl.exe!KeInsertQueue + 5E1 81C7CBD8 4 Bytes [A0, 16, F6, 8A]
.text ntoskrnl.exe!KeInsertQueue + 5FD 81C7CBF4 4 Bytes [A5, 16, F6, 8A]
.text ntoskrnl.exe!KeInsertQueue + 811 81C7CE08 4 Bytes [AF, 16, F6, 8A]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\spuninst.exe 0 bytes
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\spuninst.inf 0 bytes
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\spuninst.txt 0 bytes
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\updspapi.dll 0 bytes

---- EOF - GMER 1.0.15 ----







and here is the ComboFix

ComboFix 09-10-11.03 - Kelly 12/10/2009 10:35.1.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.2.1033.18.479.160 [GMT -4:00]
Running from: c:\users\Kelly\Desktop\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\recycler\S-1-5-21-2025429265-583907252-725345543-1004
c:\recycler\S-1-5-21-776561741-299502267-839522115-1004

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-12 14:52 . 2009-10-12 14:52 -------- d-----w- c:\users\Kelly\AppData\Local\temp
2009-10-12 14:52 . 2009-10-12 14:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-09 19:18 . 2009-10-09 19:18 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-09 13:08 . 2009-10-09 15:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-09 13:08 . 2009-10-09 13:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 22:08 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-08 22:08 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-08 22:08 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-08 22:08 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-08 22:08 . 2009-10-08 22:08 -------- d-----w- c:\programdata\Avira
2009-10-08 22:08 . 2009-10-08 22:08 -------- d-----w- c:\program files\Avira
2009-10-06 15:11 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-06 15:11 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-06 15:11 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-06 15:11 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-06 15:10 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-06 15:10 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-06 15:10 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-06 15:09 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-06 15:09 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-05 15:23 . 2009-10-05 15:23 -------- d-----w- c:\windows\system32\EventProviders
2009-10-05 15:21 . 2009-10-05 15:22 -------- d-----w- C:\9a99a7b9345a09cbcfc379
2009-10-04 02:59 . 2009-10-04 02:59 45 ----a-w- c:\users\Kelly\jagex_runescape_preferences2.dat
2009-10-04 02:57 . 2009-10-04 02:59 38 ----a-w- c:\users\Kelly\jagex_runescape_preferences.dat
2009-10-04 02:56 . 2009-10-04 02:56 -------- d-----w- C:\.jagex_cache_32
2009-10-03 03:18 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-17 12:42 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-17 12:42 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-17 12:40 . 2009-09-17 12:40 -------- d-----w- c:\program files\iPod
2009-09-17 12:40 . 2009-09-17 12:42 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-17 12:40 . 2009-09-17 12:42 -------- d-----w- c:\program files\iTunes
2009-09-17 12:36 . 2009-09-17 12:36 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 14:22 . 2009-08-24 23:47 -------- d-----w- c:\program files\Steam
2009-10-12 14:20 . 2009-05-19 22:40 680 ----a-w- c:\users\Kelly\AppData\Local\d3d9caps.dat
2009-10-08 21:29 . 2009-08-24 23:47 -------- d-----w- c:\program files\Common Files\Steam
2009-10-05 16:48 . 2009-05-20 21:50 -------- d-----w- c:\program files\Java
2009-09-22 00:09 . 2009-05-20 21:53 -------- d-----w- c:\users\Kelly\AppData\Roaming\LimeWire
2009-09-18 20:34 . 2009-06-01 22:37 -------- d-----w- c:\users\Kelly\AppData\Roaming\Apple Computer
2009-09-17 12:40 . 2009-06-01 21:27 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 11:29 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 23:42 . 2009-08-28 23:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-28 23:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 12:39 . 2009-09-02 21:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 21:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-24 00:25 . 2009-08-24 00:18 -------- d-----w- c:\program files\Graffiti Studio 2.0
2009-08-24 00:23 . 2009-08-24 00:23 8854 ----a-r- c:\users\Kelly\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-08-24 00:23 . 2009-08-24 00:23 40960 ----a-r- c:\users\Kelly\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-08-24 00:23 . 2009-08-24 00:23 40960 ----a-r- c:\users\Kelly\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-08-24 00:22 . 2009-08-24 00:22 -------- d-----w- c:\program files\Project64 1.6
2009-08-14 17:07 . 2009-09-10 00:48 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-10 00:48 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-10 00:48 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-10 00:48 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-10 00:48 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-10 00:48 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-10 00:48 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-10 00:48 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-10 00:48 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-10 00:48 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 09:23 . 2009-05-20 21:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-30 21:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 21:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 21:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 21:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 19:36 71680 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Steam"="c:\program files\Steam\Steam.exe" [2009-10-08 1217784]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-12 339968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-09-10 604704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2B0C8371-B422-428F-B4A8-3D0B78D34455}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{75359EE5-D1C8-48E5-9C6F-7C9E7E940FA1}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{161F933C-2DBC-43BA-A832-FC5A2D666BE1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BDFA201F-2256-4DBC-BB35-CED48DE5AD0B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5BE3C98B-79FB-4A9D-9FC5-715372E471BF}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{112046F2-6B10-4F89-8969-E8DA407B8455}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{8B415786-72C8-4206-B29A-F98F6CB4EFA0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9421C22B-D4FD-4060-BAF3-9495E6139B65}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/10/2009 6:08 PM 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [09/10/2009 9:08 AM 1153368]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\User_Feed_Synchronization-{D29941CF-C13E-4F37-85F7-3EE6226E8BF4}.job
- c:\windows\system32\msfeedssync.exe [2009-07-30 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\lmz8qc7e.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsdc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-12 10:58
ComboFix-quarantined-files.txt 2009-10-12 14:58

Pre-Run: 31,404,761,088 bytes free
Post-Run: 35,222,917,120 bytes free

178 --- E O F --- 2009-10-09 12:42




I hope this is what you need....

Kelly

[Transience]

Hello, sorry for the delay in getting back to you - logs look alright.

Let's run some final checks.

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC

• Please download TFC to your desktop.
• Save any work, then close all open windows.
• Double-click TFC to run it, and allow the process to complete, which should not take more than a couple minutes.
• You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
• Close TFC when it has completed.

2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick (Vista users please right-click Run as Administrator) on mbam-setup.exe to install the program.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan, then click Scan.
• The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
• Copy & Paste the entire report in your next reply.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

• Follow this link to the Kaspersky WebScanner
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way .

- Dave

[angelbear]

Dave

Here are the last two logs.

The computer has been better except when running the scans of course.
There are viruses in the log. What do I do with them?

Thanks!

Kelly

Attached Files

•  mbam_log_2009_10_16__00_22_18_.txt   862bytes   109 downloads
•  kapersky.txt   1.33KB   121 downloads

[Transience]

We'll take care of those files Kaspersky found like this:

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Files
  C:\Users\Kelly\Documents\LimeWire\Saved\Guitar Hero 3 - 01 - Foghat - Slow Ride.wma
  C:\Users\Kelly\Documents\LimeWire\Saved\im the boss lonley islands sherifia luna [DVDRip.DivX].avi
  C:\Users\Kelly\Documents\LimeWire\Saved\im the boss lonley islands.mpg
  C:\Users\Kelly\Documents\My Documents\LimeWire\Saved\Adam Gregory - Crazy Days.wma
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Cheers,
Dave

[angelbear]

Dave:

I followed your instructions and it seemed like it got rid of the viruses just fine. I left the computer for a while and when I came back it said I needed to reboot. I guess that means everything was ok?

What do you think about Lime Wire? My kids keep downloading it and today I looked elsewhere in the forums, everyone says it is not good and I should not have it. So I deleted the program but what about all the songs? Do I have to go somewhere and delete all of those?

It was a good lesson for them that every one of the viruses was from Lime Wire. I will make sure I get rid of that program on every computer I can!!!

Thank you so much for all your help. You are very knowledgeable about computers. Should I use any of those programs on a regular basis on my computer?

Thanks again!!!

Kelly

[Transience]

What do you think about Lime Wire? My kids keep downloading it and today I looked elsewhere in the forums, everyone says it is not good and I should not have it. So I deleted the program but what about all the songs? Do I have to go somewhere and delete all of those?

You don't have to worry about the songs you have, we got rid of all the infected ones. The important thing is just to make sure to stay away from p2p programs like LimeWire for the future.

Glad to hear things are running better, your logs look great, I have some last steps and some advice on staying clean in the future for you:

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix from your computer:

• Click on Start > Run
• Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.
  

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.

• Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
• After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're still clean. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

If you don't have a firewall, some great free options you can test out are: Online Armor, Outpost, and Sunbelt. I'd highly recommend that you install one of those. If you do decide to use a 3rd party firewall program, please be sure to disable the Windows firewall as per these instructions so they don't conflict:

• Please click on Start -> Control Panel
• Double click Windows Firewall
• Click Change Settings
• Choose Off to disable Windows Firewall.

Finally, for a great tutorial on how to get the best protection out of your firewall, take a look at this guide.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives: Firefox, Opera, and Google Chrome. All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones: Green to go, Yellow for caution, and Red to stop. Available for Firefox and Internet Explorer.

NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing. Available for Firefox only.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article.

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave