Originally Windows Security Alert pop-ups; now not sure what problem i

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Originally Windows Security Alert pop-ups; now not sure what problem i Can't access internet after removing windows security pop ups

#1 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 19 January 2010 - 12:03 PM

Hello,

Thank you for such a wonderful site and the great help you provide. I will attempt to detail my problem and steps taken thus far. However, this has been a very tiresome problem and I may miss a few. I started getting false windows security alert pop ups which asked me to run security checks. Initially I ran Spybot and found 2 items and deleted these. I wasn't sure if this worked so I searched for the problem online and found some steps to remove it. These steps included installing Malware Bytes and running CC Cleaner. I did both of these. Malware Bytes found 2 additional items and I deleted these. I should also say that when I installed Malware Bytes I received an error code so I am not sure if the full version was installed or not. But it ran without any problems.

Following this I have been unable to access the internet. I then ran Adaware and AVG. These found nothing. I still had no access to the internet. I continued my search and found the Malware Removal Guide from this site. I attempted to follow those instructions. I uninstalled and re-installed Malware Bytes (and received the same error). I also per the guide recommendations removed adaware and attempted to remove Spybot. I also removed CC Cleaner and installed the temp file cleaner from the guide. When I attempted to remove Spybot I received some warnings so I didn't proceed. Again while following the removal guide I ran Malware Bytes and AVG. Neither found anything. When I attempted to run GMER I received a blue screen that said windows shut down due to a major error. I restarted in safe mode and attempted run GMER from there. I am not sure why (maybe because of the layout in Safe mode) I wasn't able to access the save as button. I attempted to run it again in regular start up. However, I received the blue screen error again which stated something like if you have received this error message multiple times remove any new software or hardware and something about BIOS. That's where I stopped.

I have searched for similar problems but haven't found any. Any that are similar have ended in running Combo fix. And according to this site that should only happen under instruction and assistance from this site.

I am sendig this from a campus computer since I don't have internet access from my laptop. Please help! I am a graduate student and classes have already started. I am lost without my laptop. Thank you so much!!

Please let me know if you need any additional information or if I have made some mistake in the process of posting this.

Katherine

#2 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 20 January 2010 - 09:10 AM

Hello, Katherine!

Welcome to Geeks to Go! My name is Elster and I will be helping you fix your computer.

Please note that I am still in training, so there may be some delay between my responses. This is so that a resident expert may check my reply before I post back to you.

Also, please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.

To ensure that I get all the information, this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

I'm guessing that you will have access to another computer for downloading, so please download OTS to a flash drive, then copy it to your computer's Desktop.

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under custom scans copy and paste the following:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

Thanks!

Elster

#3 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 20 January 2010 - 07:08 PM

OTS.Txt (153.91K)
Number of downloads: 72

Dear Elster,

Thank you very much for your help! I followed the steps you outlined below and attached is the log. Please let me know if you need anything else or if you are unable to access the attachment.

Thank you again.

Best,

Katherine

#4 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 21 January 2010 - 11:21 PM

Hello Katherine!

Sorry for the delay! Long day at work!

Step 1:

OTS

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Quote

[Registry - Safe List]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
YN -> msansspc.dll ->
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
[Files/Folders - Created Within 30 Days]
NY -> ojbmmw -> C:\Documents and Settings\Katherine\Local Settings\Application Data\ojbmmw
[Files - No Company Name]
NY -> jst.dll -> C:\WINDOWS\System32\jst.dll
NY -> compJNI.dll -> C:\WINDOWS\System32\compJNI.dll
NY -> PMLJNI.dll -> C:\WINDOWS\System32\PMLJNI.dll
NY -> grcauth2.dll -> C:\WINDOWS\System32\grcauth2.dll
NY -> grcauth1.dll -> C:\WINDOWS\System32\grcauth1.dll
NY -> prsgrc.dll -> C:\WINDOWS\System32\prsgrc.dll
NY -> sysprs7.dll -> C:\WINDOWS\System32\sysprs7.dll
NY -> lsprst7.dll -> C:\WINDOWS\System32\lsprst7.dll

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Step 2:

ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Step 3:

Reply

Things I need to see in your reply:

OTS log
Contents of C:\ComboFix.txt

Thanks!

Elster

#5 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 22 January 2010 - 04:03 PM

Hello Elster,

Thank you for getting back to me. I followed your instructions but ran into a few problems. I ran OTS as instructed and the log is below.

OTS Log:
��[\0R\0e\0g\0i\0s\0t\0r\0y\0 \0-\0 \0S\0a\0f\0e\0 \0L\0i\0s\0t\0]\0
\0
\0R\0e\0g\0i\0s\0t\0r\0y\0 \0v\0a\0l\0u\0e\0 \0H\0K\0E\0Y\0_\0L\0O\0C\0A\0L\0_\0M\0A\0C\0H\0I\0N\0E\0\\0S\0Y\0S\0T\0E\0M\0\\0C\0u\0r\0r\0e\0n\0t\0C\0o\0n\0t\0r\0o\0l\0S\0e\0t\0\\0C\0o\0n\0t\0r\0o\0l\0\\0S\0e\0c\0u\0r\0i\0t\0y\0P\0r\0o\0v\0i\0d\0e\0r\0s\0\\0\\0S\0e\0c\0u\0r\0i\0t\0y\0P\0r\0o\0v\0i\0d\0e\0r\0s\0:\0m\0s\0a\0n\0s\0s\0p\0c\0.\0d\0l\0l\0 \0d\0e\0l\0e\0t\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0[\0F\0i\0l\0e\0s\0/\0F\0o\0l\0d\0e\0r\0s\0 \0-\0 \0C\0r\0e\0a\0t\0e\0d\0 \0W\0i\0t\0h\0i\0n\0 \03\00\0 \0D\0a\0y\0s\0]\0
\0
\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0K\0a\0t\0h\0e\0r\0i\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0o\0j\0b\0m\0m\0w\0 \0f\0o\0l\0d\0e\0r\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0[\0F\0i\0l\0e\0s\0 \0-\0 \0N\0o\0 \0C\0o\0m\0p\0a\0n\0y\0 \0N\0a\0m\0e\0]\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0j\0s\0t\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0o\0m\0p\0J\0N\0I\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0P\0M\0L\0J\0N\0I\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0g\0r\0c\0a\0u\0t\0h\02\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0g\0r\0c\0a\0u\0t\0h\01\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0p\0r\0s\0g\0r\0c\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0y\0s\0p\0r\0s\07\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0l\0s\0p\0r\0s\0t\07\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0<\0 \0E\0n\0d\0 \0o\0f\0 \0f\0i\0x\0 \0l\0o\0g\0 \0>\0
\0
\0O\0T\0S\0 \0b\0y\0 \0O\0l\0d\0T\0i\0m\0e\0r\0 \0-\0 \0V\0e\0r\0s\0i\0o\0n\0 \03\0.\01\0.\01\09\0.\01\0 \0f\0i\0x\0 \0l\0o\0g\0f\0i\0l\0e\0 \0c\0r\0e\0a\0t\0e\0d\0 \0o\0n\0 \00\01\02\02\02\00\01\00\0_\01\06\02\00\03\05\0
\0
Combo fix log:

ComboFix 10-01-16.04 - Katherine 01/22/2010 16:35:32.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.674 [GMT -5:00]
Running from: f:\computer fix\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-18 23:48 . 2010-01-18 23:48 -------- d-----w- c:\program files\ERUNT
2010-01-18 05:11 . 2010-01-18 05:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-01-18 04:34 . 2010-01-18 04:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-01-18 04:29 . 2010-01-18 04:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-18 04:29 . 2010-01-18 04:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-18 04:02 . 2010-01-18 04:02 -------- d-----w- c:\documents and settings\Katherine\Application Data\Yahoo!
2010-01-16 15:21 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 00:31 . 2010-01-08 00:31 -------- d-----w- c:\program files\Common Files\Skype
2010-01-07 21:33 . 2010-01-07 21:33 -------- d-----w- c:\program files\iPod
2010-01-07 21:32 . 2010-01-07 21:34 -------- d-----w- c:\program files\iTunes
2010-01-07 21:32 . 2010-01-07 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-07 21:27 . 2010-01-07 21:28 -------- d-----w- c:\program files\QuickTime
2010-01-07 21:19 . 2010-01-07 21:19 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-07 21:18 . 2010-01-07 21:18 -------- d-----w- c:\program files\Safari
2010-01-07 21:16 . 2010-01-07 21:16 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 16:52 . 2009-04-04 14:05 -------- d-----w- c:\documents and settings\Katherine\Application Data\Skype
2010-01-20 16:50 . 2009-04-04 14:07 -------- d-----w- c:\documents and settings\Katherine\Application Data\skypePM
2010-01-19 00:26 . 2008-11-19 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-18 23:52 . 2010-01-18 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 23:35 . 2006-06-08 14:23 -------- d-----w- c:\program files\SmartDraw 7
2010-01-18 05:37 . 2006-06-05 19:20 -------- d-----w- c:\program files\Trend Micro
2010-01-18 04:34 . 2006-04-25 04:29 -------- d-----w- c:\program files\Yahoo!
2010-01-18 04:24 . 2009-10-27 17:02 -------- d--h--w- c:\program files\Zero G Registry
2010-01-18 04:24 . 2009-10-27 16:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-18 04:22 . 2009-10-27 16:47 -------- d-----w- c:\program files\HP
2010-01-18 04:05 . 2006-02-22 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-16 22:54 . 2008-07-14 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 00:32 . 2009-04-04 14:04 -------- d-----r- c:\program files\Skype
2010-01-08 00:31 . 2009-04-04 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-07 22:39 . 2006-04-06 20:27 91976 ----a-w- c:\documents and settings\Katherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 22:29 . 2008-07-14 21:32 -------- d-----w- c:\program files\Microsoft Works
2010-01-07 21:51 . 2006-10-29 01:04 -------- d-----w- c:\documents and settings\Katherine\Application Data\Apple Computer
2010-01-07 21:33 . 2009-05-11 01:18 -------- d-----w- c:\program files\Common Files\Apple
2010-01-07 21:07 . 2010-01-18 23:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-18 23:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 22:19 . 2006-06-08 14:40 -------- d-----w- c:\documents and settings\Katherine\Application Data\SmartDraw
2009-12-09 16:21 . 2009-12-07 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Fiesta Download Manager
2009-12-07 19:29 . 2008-09-02 20:29 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-12-07 16:52 . 2009-12-07 16:52 -------- d-----w- c:\documents and settings\Katherine\Application Data\gtk-2.0
2009-12-07 15:47 . 2009-12-07 15:47 -------- d-----w- c:\program files\Fiesta Download Manager
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2006-09-20 15:52 . 2006-09-20 15:52 265358 ----a-w- c:\program files\PPGRE.ISU
2008-06-05 01:13 . 2006-10-17 03:50 104 --sh--r- c:\windows\system32\AE1C104679.sys
2008-06-05 01:13 . 2006-10-17 03:50 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 393216]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-11 168448]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-14 2043160]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-10 20480]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-11 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-11-13 271640]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/18/2008 6:19 PM 335240]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/18/2008 6:19 PM 297752]
S2 gupdate1c9f9cb51d16708;Google Update Service (gupdate1c9f9cb51d16708);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2009 4:39 PM 133104]
S2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 21:39]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 21:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MP3Bar - c:\program files\Fiesta Download Manager\mp3bar.dll/MENUSEARCH.HTM
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{F6BD6330-76F8-44d9-B775-87614E2D8374} - (no file)
WebBrowser-{F6BD6330-76F8-44D9-B775-87614E2D8374} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-22 16:49:14
ComboFix-quarantined-files.txt 2010-01-22 21:48

Pre-Run: 43,744,280,576 bytes free
Post-Run: 43,765,747,712 bytes free

- - End Of File - - 3A27B425BA7F620DDAA29AAE9610EB91

Problems I ran into with Combo Fix: I was unable to disable AVG or Spybot. I received a warning about AVG but continued running Combo Fix. Microsoft Recovery Console was unable to be installed because I still can not access the internet. Finally, I received several pop ups from Spybot about changes. I denied the changes since I wasn't sure what to do. I apologize if this has complicated the matter or made your job more difficult. Also as a note I did all of this is in Safe Mode. Please let me know if I need to re-run any of these due to the problems I ran into.

Thanks for all of your help.

Cheers,

Katherine

#6 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 22 January 2010 - 04:23 PM

I think something happened when I cut and pasted the OTS log. Here it is again:

I think something happened when I cut and pasted the OTS log. Here it is again:

��[\0R\0e\0g\0i\0s\0t\0r\0y\0 \0-\0 \0S\0a\0f\0e\0 \0L\0i\0s\0t\0]\0
\0
\0R\0e\0g\0i\0s\0t\0r\0y\0 \0v\0a\0l\0u\0e\0 \0H\0K\0E\0Y\0_\0L\0O\0C\0A\0L\0_\0M\0A\0C\0H\0I\0N\0E\0\\0S\0Y\0S\0T\0E\0M\0\\0C\0u\0r\0r\0e\0n\0t\0C\0o\0n\0t\0r\0o\0l\0S\0e\0t\0\\0C\0o\0n\0t\0r\0o\0l\0\\0S\0e\0c\0u\0r\0i\0t\0y\0P\0r\0o\0v\0i\0d\0e\0r\0s\0\\0\\0S\0e\0c\0u\0r\0i\0t\0y\0P\0r\0o\0v\0i\0d\0e\0r\0s\0:\0m\0s\0a\0n\0s\0s\0p\0c\0.\0d\0l\0l\0 \0d\0e\0l\0e\0t\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0[\0F\0i\0l\0e\0s\0/\0F\0o\0l\0d\0e\0r\0s\0 \0-\0 \0C\0r\0e\0a\0t\0e\0d\0 \0W\0i\0t\0h\0i\0n\0 \03\00\0 \0D\0a\0y\0s\0]\0
\0
\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0K\0a\0t\0h\0e\0r\0i\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0o\0j\0b\0m\0m\0w\0 \0f\0o\0l\0d\0e\0r\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0[\0F\0i\0l\0e\0s\0 \0-\0 \0N\0o\0 \0C\0o\0m\0p\0a\0n\0y\0 \0N\0a\0m\0e\0]\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0j\0s\0t\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0o\0m\0p\0J\0N\0I\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0P\0M\0L\0J\0N\0I\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0g\0r\0c\0a\0u\0t\0h\02\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0g\0r\0c\0a\0u\0t\0h\01\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0p\0r\0s\0g\0r\0c\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0y\0s\0p\0r\0s\07\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0l\0s\0p\0r\0s\0t\07\0.\0d\0l\0l\0 \0m\0o\0v\0e\0d\0 \0s\0u\0c\0c\0e\0s\0s\0f\0u\0l\0l\0y\0.\0
\0
\0<\0 \0E\0n\0d\0 \0o\0f\0 \0f\0i\0x\0 \0l\0o\0g\0 \0>\0
\0
\0O\0T\0S\0 \0b\0y\0 \0O\0l\0d\0T\0i\0m\0e\0r\0 \0-\0 \0V\0e\0r\0s\0i\0o\0n\0 \03\0.\01\0.\01\09\0.\01\0 \0f\0i\0x\0 \0l\0o\0g\0f\0i\0l\0e\0 \0c\0r\0e\0a\0t\0e\0d\0 \0o\0n\0 \00\01\02\02\02\00\01\00\0_\01\06\02\00\03\05\0
\0
\0

#7 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 23 January 2010 - 12:36 PM

Hello, Katherine!

Step 1:

ComboFix

Please download a new version of ComboFix, then save it to your desktop (don't run from the flash drive), and run it in Normal mode (not safe mode).

Step 2:

AVZ

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed.
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
All applications will work properly after the system restart.

When restarted

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

Step 3:

Reply

Things I need to see in your reply:

Contents of C:\ComboFix.txt
Attached zip files (virusinfo_syscure.zip and virusinfo_syscheck.zip)
How is your computer running?

Thanks!

Elster

#8 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 23 January 2010 - 08:29 PM

Hello Elster,

Thank you so much for your help. Below is the Combo Fix log you requested.

ComboFix 10-01-23.02 - Katherine 01/23/2010 20:20:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.424 [GMT -5:00]
Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-18 23:52 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-18 23:52 . 2010-01-18 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 23:52 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 23:48 . 2010-01-18 23:48 -------- d-----w- c:\program files\ERUNT
2010-01-18 05:11 . 2010-01-18 05:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-01-18 04:34 . 2010-01-18 04:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-01-18 04:29 . 2010-01-18 04:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-18 04:29 . 2010-01-18 04:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-18 04:02 . 2010-01-18 04:02 -------- d-----w- c:\documents and settings\Katherine\Application Data\Yahoo!
2010-01-16 15:21 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 00:31 . 2010-01-08 00:31 -------- d-----w- c:\program files\Common Files\Skype
2010-01-07 21:33 . 2010-01-07 21:33 -------- d-----w- c:\program files\iPod
2010-01-07 21:32 . 2010-01-07 21:34 -------- d-----w- c:\program files\iTunes
2010-01-07 21:32 . 2010-01-07 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-07 21:27 . 2010-01-07 21:28 -------- d-----w- c:\program files\QuickTime
2010-01-07 21:19 . 2010-01-07 21:19 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-07 21:18 . 2010-01-07 21:18 -------- d-----w- c:\program files\Safari
2010-01-07 21:16 . 2010-01-07 21:16 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 01:25 . 2009-04-04 14:05 -------- d-----w- c:\documents and settings\Katherine\Application Data\Skype
2010-01-24 01:06 . 2006-02-22 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-24 00:45 . 2008-07-14 17:29 -------- d-----w- c:\program files\SafeConnect
2010-01-24 00:42 . 2009-04-04 14:07 -------- d-----w- c:\documents and settings\Katherine\Application Data\skypePM
2010-01-19 00:26 . 2008-11-19 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-18 23:35 . 2006-06-08 14:23 -------- d-----w- c:\program files\SmartDraw 7
2010-01-18 05:37 . 2006-06-05 19:20 -------- d-----w- c:\program files\Trend Micro
2010-01-18 04:34 . 2006-04-25 04:29 -------- d-----w- c:\program files\Yahoo!
2010-01-18 04:24 . 2009-10-27 17:02 -------- d--h--w- c:\program files\Zero G Registry
2010-01-18 04:24 . 2009-10-27 16:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-18 04:22 . 2009-10-27 16:47 -------- d-----w- c:\program files\HP
2010-01-16 22:54 . 2008-07-14 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 00:32 . 2009-04-04 14:04 -------- d-----r- c:\program files\Skype
2010-01-08 00:31 . 2009-04-04 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-07 22:39 . 2006-04-06 20:27 91976 ----a-w- c:\documents and settings\Katherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 22:29 . 2008-07-14 21:32 -------- d-----w- c:\program files\Microsoft Works
2010-01-07 21:51 . 2006-10-29 01:04 -------- d-----w- c:\documents and settings\Katherine\Application Data\Apple Computer
2010-01-07 21:33 . 2009-05-11 01:18 -------- d-----w- c:\program files\Common Files\Apple
2009-12-16 22:19 . 2006-06-08 14:40 -------- d-----w- c:\documents and settings\Katherine\Application Data\SmartDraw
2009-12-09 16:21 . 2009-12-07 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Fiesta Download Manager
2009-12-07 19:29 . 2008-09-02 20:29 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-12-07 16:52 . 2009-12-07 16:52 -------- d-----w- c:\documents and settings\Katherine\Application Data\gtk-2.0
2009-12-07 15:47 . 2009-12-07 15:47 -------- d-----w- c:\program files\Fiesta Download Manager
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2005-08-16 10:18 916480 ------w- c:\windows\system32\wininet.dll
2006-09-20 15:52 . 2006-09-20 15:52 265358 ----a-w- c:\program files\PPGRE.ISU
2008-06-05 01:13 . 2006-10-17 03:50 104 --sh--r- c:\windows\system32\AE1C104679.sys
2008-06-05 01:13 . 2006-10-17 03:50 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 393216]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-11 168448]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-14 2043160]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-10 20480]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-11 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-11-13 297240]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/18/2008 6:19 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/18/2008 6:19 PM 297752]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
S2 gupdate1c9f9cb51d16708;Google Update Service (gupdate1c9f9cb51d16708);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2009 4:39 PM 133104]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 21:39]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 21:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MP3Bar - c:\program files\Fiesta Download Manager\mp3bar.dll/MENUSEARCH.HTM
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{F6BD6330-76F8-44d9-B775-87614E2D8374} - (no file)
WebBrowser-{F6BD6330-76F8-44D9-B775-87614E2D8374} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 20:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\WINSPOOL.DRV

- - - - - - - > 'explorer.exe'(812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-01-23 20:27:47
ComboFix-quarantined-files.txt 2010-01-24 01:27
ComboFix2.txt 2010-01-22 21:49

Pre-Run: 42,726,178,816 bytes free
Post-Run: 42,679,992,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 3F18D024F8054D6DAA11C8799073A917

Also attached is the AVZ syscheck log you requested. The AVZ syscure log was never in the log folder. I ran it twice but it didn't appear either time. Everything seems to be working fine now. I can get on-line and am not receiving pop ups or having any other problems.

virusinfo_syscheck.zip (129.2K)
Number of downloads: 58

#9 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 24 January 2010 - 10:43 AM

Hello, Katherine!

Things are looking good! Just a couple of more steps, and you should be set.

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\AE1C104679.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Thanks!

Elster

#10 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 24 January 2010 - 11:24 AM

Hi Elster,

Thanks for all of your help. Here is the log from virscan.

VirSCAN.org Scanned Report :
Scanned time : 2010/01/24 12:01:23 (EST)
Scanner results: Scanners did not find malware!
File Name : AE1C104679.sys
File Size : 104 byte
File Type : data
MD5 : c594a8b8dc6f5f8dc2bf9d05b113bb99
SHA1 : 3fa1d49141345a1f608c5c460273572ba5bb2333
Online report : http://virscan.org/report/885d580ac15e62ee...bf410adeb3.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100124030221 2010-01-24 40.13 -
AhnLab V3 2010.01.24.00 2010.01.24 2010-01-24 40.12 -
AntiVir 8.2.1.150 7.10.3.62 2010-01-22 0.07 -
Antiy 2.0.18 20100122.3738848 2010-01-22 0.12 -
Arcavir 2009 201001240745 2010-01-24 0.02 -
Authentium 5.1.1 201001231539 2010-01-23 1.32 -
AVAST! 4.7.4 100124-0 2010-01-24 0.00 -
AVG 8.5.720 271.1.1/2642 2010-01-24 0.23 -
BitDefender 7.81008.4896419 7.30040 2010-01-24 4.38 -
CA (VET) 35.1.0 7253 2010-01-21 40.12 -
ClamAV 0.95.2 10326 2010-01-23 0.00 -
Comodo 3.13.579 3409 2010-01-24 40.13 -
CP Secure 1.3.0.5 2010.01.24 2010-01-24 0.00 -
Dr.Web 4.44.0.9170 0004.00.00 0004-00-00 8.77 -
F-Prot 4.4.4.56 20100123 2010-01-23 1.24 -
F-Secure 7.02.73807 2010.01.24.03 2010-01-24 0.05 -
Fortinet 11.412- 11.412 2010-01-24 40.12 -
GData 19.10118/19.698 20100124 2010-01-24 40.14 -
ViRobot 20100123 2010.01.23 2010-01-23 1.53 -
Ikarus T3.1.01.80 2010.01.24.75028 2010-01-24 4.42 -
JiangMin 13.0.900 2010.01.23 2010-01-23 40.12 -
Kaspersky 5.5.10 2010.01.24 2010-01-24 0.02 -
KingSoft 2009.2.5.15 2010.1.24.23 2010-01-24 40.13 -
McAfee 5.3.00 5871 2010-01-24 3.37 -
Microsoft 1.5405 2010.01.24 2010-01-24 40.13 -
Norman 6.01.09 6.01.00 2010-01-16 4.01 -
Panda 9.05.01 2010.01.24 2010-01-24 40.12 -
Trend Micro 9.120-1004 6.800.06 2010-01-24 0.00 -
Quick Heal 10.00 2010.01.21 2010-01-21 40.13 -
Rising 20.0 22.31.06.04 2010-01-24 40.12 -
Sophos 3.03.0 4.49 2010-01-24 3.21 -
Sunbelt 3.9.2393.2 5635 2010-01-23 40.13 -
Symantec 1.3.0.24 20100123.003 2010-01-23 0.24 -
nProtect 20100123.01 6991239 2010-01-23 40.13 -
The Hacker 6.5.0.9 v00160 2010-01-24 40.13 -
VBA32 3.12.12.1 20100123.0949 2010-01-23 2.41 -
VirusBuster 4.5.11.10 10.119.18/1988421 2010-01-24 2.32 -

Also, a couple of quick questions if you don't mind. First, when I start my computer I get the spybot pop up asking me about a new value for ctfm.exe. I researched this and apparently it can be either necessary or a virus. Can you tell me whether I should accept this change or not based on what we have done already. Secondly, when I log off I get an error message that says something like permission is not authorized. Not sure if this is a problem or not. I can send a screenshot if you need it. And finally, just for my own curiousity, can you tell me what happened to my computer? I believe it was from the ads on Ninja Video. I have used Ninja Video for a long time without problems but don't want to use it if I can expect these kinds of problems.

Again, thank you so much!

Cheers,

Katherine

#11 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 25 January 2010 - 11:20 PM

Hi Katherine!

It's difficult to say exactly where the infection(s) may have originated. Most viruses are transmitted through email, or you may have clicked on an ad or visited a website that downloaded into your machine.

As for ctfm.exe, what does Spybot say has changed? This file is not in any of your logs, so I would say to accept the change.

Quote

Secondly, when I log off I get an error message that says something like permission is not authorized. Not sure if this is a problem or not. I can send a screenshot if you need it.

Please do!

Now, let's do one more scan!

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Thanks!

Elster

#12 kmaston

Group: Member
Posts: 14
Joined: 19-January 10

Posted 29 January 2010 - 09:38 PM

Hi Elster,

So sorry for the delay! School and work were pretty hectic this week. Below is the file you requested.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a305028bf64cb845a65a9c72430b2cd2
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-29 10:53:09
# local_time=2010-01-29 05:53:09 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 48294495 48294495 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=31656
# found=0
# cleaned=0
# scan_time=1527
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a305028bf64cb845a65a9c72430b2cd2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-30 03:33:23
# local_time=2010-01-29 10:33:23 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 48304388 48304388 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=80606
# found=1
# cleaned=1
# scan_time=8448
C:\WINDOWS\FixCamera.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

I don't get the authorization error anymore when I log off. In addition, my computer had to be "reconfigured" ( I think that is what was done) so that I could continue to access the university network. Not sure if that makes a difference for you or not.

Thanks again!

Katherine

#13 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 30 January 2010 - 08:18 PM

Hi Katherine!

I am sorry. I'm out of town this weekend and really don't have internet access other than on my phone. I will be back either late Monday or sometime on Tuesday. If you are in need of assistance before then, please let me know and I will have someone help you.

Thanks!

Elster

#14 Elster

Group: Administrator
Posts: 2,853
Joined: 11-January 09

Posted 04 February 2010 - 01:12 PM

Hi Katherine!

Thank you for your patience! You waited all that time to hear (or, more accurately, read) me say:

Congratulations!! Your computer is clean again!

Just a few more steps here and you'll be out surfing that net in no time!

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

It is very important that you keep your computer updated with the latest patches and security fixes. Be sure and update the following on a regular basis:

For Windows updates, go here

For Java updates,

Download the latest version of Java Runtime Environment (JRE) 6 Update 18.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Make Internet Explorer more secure:

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Download some preventative software such as:

Anti Spyware

SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.

Personal Firewalls -- UTILIZE ONLY ONE FIREWALL

Comodo is a free fully functional firewall
Online Armor (Free edition) personal firewall

Anti Virus Programs -- NEVER USE MORE THAN ONE ANTI-VIRUS PROGRAM AT A TIME

avast! 4 Home Edition an excellent free AV.
AVG AntiVirus version 8.5 is free for personal use.
Avira AntiVir PersonalEdition, yet another good free AV. This is the one I use, personally.

Preventive maintenance:

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

TFC - Cleans temporary files from user accounts. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

MVPS Hosts file - replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Lastly, I would recommend using a browser other than IE. I personally use Firefox, which is much more secure than IE.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Good luck, and great surfing!!

Elster

#15 Essexboy

Group: GeekU Moderator
Posts: 55,583
Joined: 31-May 06

Posted 11 February 2010 - 01:22 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Originally Windows Security Alert pop-ups; now not sure what problem i - Geeks to Go Forums