[Boboli3]

ComboFix 09-10-26.06 - Bob Tan 10/28/2009 12:07.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1251 [GMT -7:00]
Running from: c:\documents and settings\Bob Tan\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 20:10 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 20:10 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 20:10 . 2009-10-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 19:05 . 2009-10-27 19:05 -------- d-----w- C:\_OTL
2009-10-26 14:33 . 2009-10-26 14:33 77312 ----a-w- C:\mbr.exe
2009-10-25 16:13 . 2009-10-25 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1
2009-10-16 04:14 . 2009-10-16 04:14 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\Verizon Wireless
2009-10-15 17:42 . 2009-10-15 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2009-10-15 17:41 . 2009-10-15 17:41 -------- d-----w- c:\program files\Verizon Wireless
2009-10-01 02:48 . 2009-10-01 02:48 -------- d-----w- c:\program files\Microsoft
2009-10-01 02:48 . 2009-10-01 02:48 -------- d-----w- c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 19:13 . 2009-08-13 19:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-26 19:27 . 2006-08-19 03:02 -------- d-----w- c:\program files\Common Files\AOL
2009-10-26 03:27 . 2007-09-15 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-19 16:13 . 2009-09-12 06:27 -------- d-----w- c:\program files\The Greek Poker
2009-10-15 02:05 . 2006-08-19 01:16 -------- d-----w- c:\program files\Microsoft Works
2009-09-30 16:49 . 2009-07-23 00:46 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\Vso
2009-09-30 16:49 . 2009-07-23 00:46 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-30 16:49 . 2009-07-23 00:46 47360 ----a-w- c:\documents and settings\Bob Tan\Application Data\pcouffin.sys
2009-09-30 16:49 . 2009-07-23 03:55 -------- d-----w- c:\program files\DVDFab 6
2009-09-16 23:08 . 2006-08-19 02:16 59168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 05:51 . 2008-02-18 01:07 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\U3
2009-09-16 05:13 . 2009-09-11 06:08 137568 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-16 04:50 . 2009-09-11 05:00 -------- d-----w- c:\program files\Linksys
2009-09-16 03:38 . 2009-09-11 06:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2006-08-18 23:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 06:06 . 2009-09-11 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-09-11 05:04 . 2009-09-11 05:04 -------- d-----w- c:\program files\WebEx
2009-09-11 05:03 . 2006-08-19 02:20 -------- d-----w- c:\program files\Java
2009-09-09 18:27 . 2006-08-19 01:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 06:31 . 2009-09-08 05:46 1376 ----a-w- c:\windows\checkip.dat
2009-09-04 21:03 . 2006-08-18 23:47 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-08-18 23:48 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-08-18 23:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-08-18 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-08-18 23:49 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-11 17:02 . 2009-08-11 17:02 61224 ----a-w- c:\documents and settings\Bob Tan\GoToAssistDownloadHelper.exe
2009-08-05 09:01 . 2006-08-18 23:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2006-08-18 23:48 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-27_17.13.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 19:15 . 2009-10-28 19:15 16384 c:\windows\temp\Perflib_Perfdata_350.dat
+ 2006-08-19 00:36 . 2009-10-27 22:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-08-19 00:36 . 2009-10-26 03:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-08-19 00:36 . 2009-10-27 22:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-19 00:36 . 2009-10-26 03:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-27 22:18 . 2009-10-27 22:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-09-08 03:43 . 2009-10-28 19:13 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-09-08 03:43 . 2009-04-21 00:47 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@="{ba930330-a721-11d3-a7b9-00500464ee16}"
[HKEY_CLASSES_ROOT\CLSID\{ba930330-a721-11d3-a7b9-00500464ee16}]
2006-04-13 00:31 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@="{2030D939-54A7-4fea-9B06-49EA77EFC87F}"
[HKEY_CLASSES_ROOT\CLSID\{2030D939-54A7-4fea-9B06-49EA77EFC87F}]
2006-04-13 00:31 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-04-13 24576]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2006-04-13 245760]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-04-25 110592]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-04-25 315392]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Principia Online Update.lnk - c:\program files\Morningstar\Principia\schedupd.exe [2007-9-10 20543]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 23:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 19:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
backup=c:\windows\pss\Principia Online Update.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\WINDOWS\\system32\\SgLogPlayer.exe"=
"c:\\WINDOWS\\system32\\ThpSrv.exe"=
"c:\\WINDOWS\\system32\\TPSODDCtl.exe"=
"c:\\Program Files\\Apoint2K\\ApntEx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [4/12/2006 5:32 PM 18464]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [4/12/2006 5:34 PM 61466]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/27/2004 11:31 PM 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [8/18/2006 7:17 PM 6144]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 6:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 5:59 PM 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 5:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 AM 98816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\DRIVERS\PTDCWWAN.sys --> c:\windows\system32\DRIVERS\PTDCWWAN.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [12/2/2007 6:55 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [12/2/2007 6:55 PM 44928]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://desktop.google.com/uninstall-feedback.html?hl=en
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: mcafee.com
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\progra~1\NETEXC~1.0\FlowHook.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 12:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\SGGINA.DLL
c:\windows\system32\vrlogon.dll
c:\windows\system32\SGEGINA.DLL
c:\program files\Utimaco\SafeGuard Easy\CMFCAPI.DLL
c:\program files\Utimaco\SafeGuard Easy\FLTAPI.dll
c:\program files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\LogMsgApp.Dll
c:\windows\system32\LogData.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'Explorer.exe'(1332)
c:\windows\system32\WININET.dll
c:\program files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Utimaco\SafeGuard Easy\SgeClient.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\windows\system32\SgLogPlayer.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\combofix\CF14130.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\thpsrv.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 12:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 19:21
ComboFix2.txt 2009-10-27 17:24

Pre-Run: 55,662,968,832 bytes free
Post-Run: 55,639,769,088 bytes free

- - End Of File - - 2CD61BA4BC815324161A029648DF1C65

[Advertisements]

That mbr rootkit detection is a a false positive.

Let's run an online scanner.

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

[heir]

That mbr rootkit detection is a a false positive.

Let's run an online scanner.

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

[Boboli3]

When trying to run the program, I am getting an error maybe a minute into it. the error reads as follows:

update has failed the program could not be started. please close the window of kapersky online scanner 7.0 and start the program from the web site of kapersky lab.

successful updating of kapersky online scanner 7.0 and scanning of your computer requires uninterrupted internet connection. please make sure that the internet connectionis established. [ERROR: invalid file signature]

I have removed all previous versions of java and downloaded the latest version.

[heir]

Reboot and try it once more.

[Boboli3]

rebooted and got the same error

[heir]

Let's try another Scanner

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[Boboli3]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16915 (vista_gdr.090826-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d0464a47740c3544840292a843570e70
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-29 01:55:37
# local_time=2009-10-28 06:55:37 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=83119
# found=24
# cleaned=24
# scan_time=4219
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent19.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent49.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent9.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\balayoyu.dll.vir a variant of Win32/Adware.Virtumonde.NFX application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\dezudesu.dll.tmp.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\duhofele.dll.vir a variant of Win32/KillAV.NGE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\duzibofa.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\fapilizu.dll.tmp.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jaguvonu.dll.vir a variant of Win32/Kryptik.AYY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jahomayo.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\levukote.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\mabagasu.dll.vir a variant of Win32/Adware.Virtumonde.NFY application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\puyepidu.dll.tmp.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ruvubeye.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sekanawo.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapubanu.dll.vir a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\tevuyupu.dll.vir a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuduriro.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\vENXFfhk.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\vENXFfhk.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wopoliro.dll.vir a variant of Win32/Adware.Virtumonde.NFX application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ziwupume.dll.vir a variant of Win32/KillAV.NGE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\10272009_120524\WINDOWS\System32\lerajune.dll a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\10272009_120524\WINDOWS\System32\tomavita.dll a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[heir]

All thats found are quarantined objects.

Hey there, Boboli3 !

OK! Well done, your log is clean again!

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  

Second:
Double-click OTL.exe to start it.
Click the Clean Up button
Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTL Clean Up.

Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to download an update.

http://www.adobe.com.../readstep2.html

Remove the older versions and install the latest,


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

• Click Start.
• Select Settings and then Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

• SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
• SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here

.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

• Comodo is a free fully functional firewall
• Online Armor (Free edition) personal firewall

Fifth:
Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

• Trillian or,
• Miranda-IM

Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

[Boboli3]

Heir,

Question regarding the ie-spyad_zo program. I downloaded the program however on the website it tells me that I need to also download "zonedout." Do I download that program? Also in my C:ie-spyad_zo folder in my c drive, I am only getting txt files. There aren't any of the reg files.

[heir]

Follow the instructions in the tutorial

First lines in those instructions are:

Last Updated: Aug 31 '09

Please Note: the original IE-SPYAD format that used .REG files to load and unload the Restricted Sites list is no longer available and will not be maintained. The same holds true for IE-SPYAD2. Both are replaced by what used to be called IE-SPYAD for ZonedOut. ZonedOut is a free utility that loads and unloads a plain text list of domains into the Restricted sites zone. You can think of ZonedOut as an improved replacement for the .BAT file utility used in the "original" IE-SPYAD. This new version of IE-SPYAD provides the same protection as the old version, but is easier to use and maintain.

[Boboli3]

Thanks again heir! I have a few questions regarding what I should keep on my computer.

Currently, I have downloaded spywareblaster, spywareguard, online armor. Do i need to keep my malwarebytes anti-malware software? Also, how frequently should I run these programs? As for the windows update, do I need to run the update daily? Weekly?

[heir]

Do i need to keep my malwarebytes anti-malware software?

You should as it's really good scanner. Use it regularly to scan your computer.

Also, how frequently should I run these programs?

How often depends on how your computer is used. Frequent use needs frequent scanning.

As for the windows update, do I need to run the update daily? Weekly?

Goto the Control Panel and double-click Automatic Updates icon. There you can set it all up for your needs.

[Boboli3]

Ok sir! Thank you very much! My computer is running good as new. Thanks for all your help! If you're ever in California, I need to buy you a few rounds. =)

[heir]

That's a long trip.
But if I ever get there I'll certainly stop by.
Can't turn down such an offer.

[heir]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.