Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

windows xp recently infected still som strange files


  • Please log in to reply

#1
jamiemad1

jamiemad1

    Member

  • Member
  • PipPip
  • 98 posts
Hi my computer was recently infected I think i got it clean, but I did notice a file called qoobox back env that will not let me in, and I believe it is from when I ran combo fix along time ago as instructed be the help I had here, I ran mbam and also eset online scanner witch I am not sure where to finf that log file but I do have the mbam log. Thank you in adavnce your help is always greatly appreciated.

OTL logfile created on: 3/18/2012 1:53:10 PM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = D:\jacobs downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.80 Mb Total Physical Memory | 414.10 Mb Available Physical Memory | 40.49% Memory free
2.40 Gb Paging File | 1.96 Gb Available in Paging File | 81.38% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.13 Gb Total Space | 1.76 Gb Free Space | 9.18% Space Free | Partition Type: NTFS
Drive D: | 31.49 Gb Total Space | 26.66 Gb Free Space | 84.65% Space Free | Partition Type: NTFS
Drive E: | 480.33 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JHOME | User Name: jacob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/18 13:52:34 | 000,594,432 | ---- | M] (OldTimer Tools) -- D:\jacobs downloads\OTL.exe
PRC - [2012/02/20 12:46:02 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 15:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/06/16 17:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/04/22 05:43:44 | 000,413,775 | ---- | M] (Microsoft Corporation) -- D:\Program Files\WCESCOMM.EXE
PRC - [2001/09/27 04:39:42 | 000,245,760 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\atiptaxx.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/20 12:46:00 | 001,911,768 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/06/18 19:31:53 | 006,271,136 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2010/06/16 17:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
MOD - [2008/12/12 19:11:26 | 000,148,480 | ---- | M] () -- C:\Program Files\Common Files\Pure Networks Shared\Platform\CAntiVirusCOM.dll
MOD - [2008/12/12 19:11:26 | 000,097,280 | ---- | M] () -- C:\Program Files\Common Files\Pure Networks Shared\Platform\CFirewallCOM.dll
MOD - [2007/02/16 17:40:42 | 005,521,408 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
MOD - [2007/02/16 17:40:40 | 001,466,368 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe -- (NMIndexingService)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (AOLService)
SRV - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/11/13 15:43:49 | 000,204,800 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\My Documents\Garena Plus\Room\safedrv.sys -- (GGSAFERDriver)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\jacob\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2011/12/10 16:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/02/17 17:59:09 | 000,007,168 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\utmzmza3.sys -- (utmzmza3)
DRV - [2010/02/03 15:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/09/08 18:54:23 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/12/12 19:05:20 | 000,025,264 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 19:05:18 | 000,023,984 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/04/13 15:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2007/12/26 03:47:30 | 000,272,128 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2006/08/02 11:45:32 | 000,114,560 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr7910.sys -- (mr7910)
DRV - [2006/03/03 14:27:53 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/09/22 12:43:06 | 001,330,048 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2003/09/22 08:48:06 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 08:47:38 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/02/26 22:12:19 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2002/09/19 21:33:52 | 000,035,120 | ---- | M] (Copyright © Fuji Photo film Co.,Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALABULK2.SYS -- (ALABULK)
DRV - [2002/01/11 01:22:10 | 000,295,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001/08/22 12:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 13:19:38 | 000,037,120 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1370mp.sys -- (ES1370) Creative AudioPCI (ES1370), SB PCI 64/128 (WDM)
DRV - [2001/08/17 09:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 08:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpaa.sys -- (ati2mpaa)
DRV - [2001/07/25 21:58:28 | 000,584,336 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsf_cnxt.sys -- (winachsf)
DRV - [2001/07/18 23:07:00 | 000,080,449 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\spkpnt.sys -- (SpeakerPhone)
DRV - [2001/07/18 23:06:40 | 000,426,783 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2001/07/18 23:06:12 | 000,127,405 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2001/07/18 23:05:26 | 000,217,019 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2001/07/18 23:04:26 | 000,056,607 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2001/07/18 23:04:04 | 000,310,899 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)
DRV - [2001/07/18 23:01:56 | 000,077,426 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\basic2.sys -- (basic2)
DRV - [2001/07/18 23:01:38 | 000,067,654 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2001/07/18 23:01:20 | 000,534,125 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v124nt.sys -- (V124)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page_bak =
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect...mrud=19-08-2010
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 32 06 8C 89 9A EE CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...3A-D3739C5E4364
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7GGLL_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files\Object\facetheme
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/20 12:46:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/18 20:41:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files\Object\facetheme

[2010/08/19 15:46:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Extensions
[2012/03/09 22:35:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\extensions
[2012/01/03 18:41:55 | 000,000,000 | ---D | M] (Battlefield Play4Free) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\extensions\[email protected]
[2012/03/09 22:35:46 | 000,000,000 | ---D | M] (Browse For Change) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\extensions\[email protected]
[2011/02/11 21:01:38 | 000,002,567 | ---- | M] () -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\searchplugins\askcom.xml
[2010/12/12 12:16:22 | 000,000,919 | ---- | M] () -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\searchplugins\conduit.xml
[2012/02/05 12:39:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/20 12:46:03 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2007/08/24 23:52:00 | 000,300,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2012/01/14 15:54:09 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/09/15 11:52:06 | 000,376,832 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsnapfish.dll
[2012/01/05 21:33:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/05 21:33:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.122\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.122\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.122\gears.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: Snapfish Plugin for Firefox (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Garmin Communicator Plug-In (Enabled) = C:\Program Files\Garmin GPS Plugin\npGarmin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.4.6_0\
CHR - Extension: Poppit = C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2011/02/18 11:39:08 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [ATIPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] D:\program files\WCESCOMM.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\INETREPL.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\INETREPL.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} http://gamingzone.ub...s/GSManager.cab (CoGSManager Class)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} http://aolcc.aol.com...kup/qdiagcc.cab (QDiagAOLCCUpdateObj Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creat...101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1139962132984 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai...all/xscan53.cab (HouseCall Control)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} http://www3.ca.com/s...nfo/webscan.cab (WScanCtl Class)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} http://www.installen...gine/isetup.cab (InstallShield International Setup Player)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.c.../cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Registry Information Class)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15109/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.154.1.6 24.154.1.37 192.168.1.1 24.154.1.6 24.154.1.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870E5707-EBC8-4FEC-91A7-1C9F31F19226}: DhcpNameServer = 24.154.1.6 24.154.1.37 192.168.1.1 24.154.1.6 24.154.1.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870E5707-EBC8-4FEC-91A7-1C9F31F19226}: NameServer = 208.67.222.123,208.67.220.123
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - d:\Program Files\AATP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\jacob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\jacob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/21 16:04:21 | 000,000,109 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/18 13:01:09 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/18 12:58:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/18 11:31:04 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/03/17 20:23:37 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDNS Updater
[2012/03/17 20:05:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Application Data\MSN6
[2012/03/09 22:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Local Settings\Application Data\iBryte
[2012/02/22 15:58:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Application Data\.minecraft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/18 14:00:04 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/03/18 13:46:38 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/18 13:38:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/18 13:38:46 | 1072,549,888 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/18 13:24:17 | 000,225,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/18 11:39:31 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\SpywareBlaster.lnk
[2012/03/18 11:31:34 | 000,434,136 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/18 11:31:34 | 000,068,456 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/18 10:10:06 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/03/17 20:40:14 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/03/17 20:32:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/17 20:28:18 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/03/15 03:09:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/17 19:51:02 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\jacob\My Documents\Interneto!.lnk
[2012/02/15 02:46:54 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/05 01:48:04 | 000,138,056 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2012/01/05 01:48:04 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\jacob\Application Data\PnkBstrK.sys
[2012/01/05 01:47:45 | 000,189,248 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2012/01/05 01:47:42 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2011/02/28 04:19:50 | 000,141,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/02/17 17:59:09 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\utmzmza3.sys
[2010/11/28 19:11:01 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\jacob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/03 11:02:36 | 000,000,081 | ---- | C] () -- C:\Documents and Settings\jacob\Application Data\RSBot Accounts.ini

========== LOP Check ==========

[2010/02/21 01:06:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/02/17 22:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2009/11/08 15:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2009/04/04 16:07:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/01/18 15:26:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Linksys
[2011/07/28 18:39:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2012/01/01 20:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2009/03/27 09:10:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/12/26 14:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2006/03/26 16:07:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2003/08/21 20:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/18 15:14:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{35ACA973-70F0-495F-9092-74A130711865}
[2012/01/16 01:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\.BanditPkz_main
[2012/02/22 15:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\.minecraft
[2011/02/11 18:30:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\Auslogics
[2012/01/01 16:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\Garena
[2011/02/15 11:46:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\GARMIN
[2010/08/22 20:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\godzHell
[2011/02/14 01:14:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\OpenDNS Updater
[2002/01/20 01:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\TeamViewer
[2011/02/11 01:18:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacob\Application Data\wsInspector
[2012/03/18 10:10:06 | 000,000,464 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2012/03/17 20:40:14 | 000,000,464 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2012/03/17 20:28:18 | 000,000,464 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2012/03/18 14:00:04 | 000,000,464 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2012/03/18 13:46:38 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



< End of report >

Attached Files


Edited by jamiemad1, 18 March 2012 - 12:15 PM.

  • 0

Advertisements


#2
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hello jamiemad1 and welcome to GeeksToGo :)

My nickname is GLeobas and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
  • I am currently reviewing your logs.

  • 0

#3
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello and thank you.
  • 0

#4
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Sorry for delay.

# Step 1 #

You still have ComboFix install in your computer. Please, download and run this tool to remove ComboFix:
http://download.blee...s/CF_UNINST.EXE

# Step 2 #

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
    IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...3A-D3739C5E4364
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    
    :Files
    C:\Windows\Tasks\At*.job
    
    
    :Commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 3 #

Please go to: VirusTotal
Posted Image
  • Click the Choose File button and search for the following file (one by one):

    C:\WINDOWS\System32\drivers\utmzmza3.sys

  • Click Open > Scan It!.
  • Please be patient while the file is scanned.
  • Copy and past the Link (URL) with the results.


# Step 4 #

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

Edited by GLeobas, 24 March 2012 - 01:45 PM.

  • 0

#5
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hi and thanks for your help. Quick question i got to step 2 when I ran the otl it closed my mbam and turned off my Microsoft security essentials and then my computer froze up for about ten minutes I got worried and shut it down because i was on the net with NO protection I then rebooted and came straight here. Shall I continue?? also I still have the file qoobox in my program files

Edited by jamiemad1, 24 March 2012 - 02:22 PM.

  • 0

#6
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Sorry for delay. OTL script will run now.
# Step 1 #


Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
    IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...3A-D3739C5E4364
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    
    :Files
    C:\Windows\Tasks\At*.job
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 2 #

Please go to: VirusTotal
Posted Image
  • Click the Choose File button and search for the following file (one by one):

    C:\WINDOWS\System32\drivers\utmzmza3.sys

  • Click Open > Scan It!.
  • Please be patient while the file is scanned.
  • Copy and past the Link (URL) with the results.


# Step 4 #

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

Edited by GLeobas, 25 March 2012 - 06:20 PM.

  • 0

#7
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
HI I tried again and still will not run I got a error code that said " ACCESS VIOLATION AT ADRESS 00402987 IN MODULE 'OTL.EXE' READ OF ADRESS 0019F000

THANK YOU
  • 0

#8
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Ok,

Go to the next steps:

# Step 2 #

Please go to: VirusTotal
Posted Image

  • Click the Choose File button and search for the following file (one by one):

    Quote

    C:\WINDOWS\System32\drivers\utmzmza3.sys
  • Click Open > Scan It!.
  • Please be patient while the file is scanned.
  • Copy and past the Link (URL) with the results.


# Step 3 #

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image


Edited by GLeobas, 26 March 2012 - 06:06 PM.

  • 0

#9
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
https://www.virustot...sis/1332811092/

And


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-26 21:22:56
-----------------------------
21:22:56.516 OS Version: Windows 5.1.2600 Service Pack 3
21:22:56.516 Number of processors: 1 586 0x204
21:22:56.516 ComputerName: JHOME UserName: jacob
21:22:58.704 Initialize success
21:23:53.470 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:23:53.470 Disk 0 Vendor: MAXTOR_6L020J1 A93.0500 Size: 19595MB BusType: 3
21:23:53.470 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
21:23:53.470 Disk 1 Vendor: Maxtor_54098H8 DAC10SC0 Size: 32253MB BusType: 3
21:23:53.470 Disk 0 MBR read successfully
21:23:53.470 Disk 0 MBR scan
21:23:53.485 Disk 0 Windows XP default MBR code
21:23:53.485 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19587 MB offset 63
21:23:53.501 Disk 0 scanning sectors +40114305
21:23:53.657 Disk 0 scanning C:\WINDOWS\system32\drivers
21:24:20.407 Service scanning
21:24:45.470 Service MpKslc665e82a C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DD69077D-D59B-4108-9B4D-B100FA144078}\MpKslc665e82a.sys **LOCKED** 32
21:25:13.079 Modules scanning
21:25:48.157 Disk 0 trace - called modules:
21:25:48.688 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
21:25:48.688 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fc8ab8]
21:25:48.688 3 CLASSPNP.SYS[f76e3fd7] -> nt!IofCallDriver -> \Device\00000065[0x86f72ca0]
21:25:48.688 5 ACPI.sys[f765a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86f8ed98]
21:25:48.704 Scan finished successfully
21:27:09.532 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jacob\Desktop\MBR.dat"
21:27:09.548 The log file has been saved successfully to "C:\Documents and Settings\jacob\Desktop\aswMBR.txt"

Edited by jamiemad1, 26 March 2012 - 07:28 PM.

  • 0

#10
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
# Step 1 #

Download ComboFix from one of the following locations:

Link 1
Link 2


# Step 2 #

Close any open browsers.

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Go to Start > Run and write (Copy/Paste): Notepad.exe. Then click in Ok.
  • copy/paste the text in the quotebox below to notepad

    Driver::
    utmzmza3

    File::
    C:\WINDOWS\system32\drivers\utmzmza3.sys
    C:\WINDOWS\Tasks\At*.job

  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

  • 0

Advertisements


#11
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello and thank you I think I did it right

ComboFix 12-03-28.02 - jacob 03/28/2012 11:47:32.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.482 [GMT -4:00]
Running from: c:\documents and settings\jacob\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: ThreatFire *Disabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-28 09:42 . 2012-03-28 09:42 56200 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{46EF3325-94D1-4FAD-A075-54EFE096C43D}\offreg.dll
2012-03-28 09:42 . 2012-03-28 09:42 29904 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{46EF3325-94D1-4FAD-A075-54EFE096C43D}\MpKsl021a96a7.sys
2012-03-28 09:34 . 2012-03-14 02:15 6582328 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{46EF3325-94D1-4FAD-A075-54EFE096C43D}\mpengine.dll
2012-03-24 16:23 . 2012-03-24 16:23 592824 -c--a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-24 16:23 . 2012-03-24 16:23 44472 -c--a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-18 15:31 . 2012-03-18 15:31 4554 -c--a-w- c:\windows\system32\PerfStringBackup.TMP
2012-03-18 00:24 . 2012-03-18 00:24 -------- dc----w- c:\windows\system32\wbem\Repository
2012-03-18 00:23 . 2012-03-18 00:23 -------- dc----w- c:\program files\OpenDNS Updater
2012-03-18 00:05 . 2012-03-18 00:06 -------- dc----w- c:\documents and settings\jacob\Application Data\MSN6
2012-03-10 02:35 . 2012-03-10 02:35 -------- dc----w- c:\documents and settings\jacob\Local Settings\Application Data\iBryte
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 02:15 . 2010-03-14 00:26 6582328 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2001-08-18 12:00 1860096 -c----w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2009-10-02 23:04 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-01-14 19:54 . 2010-05-31 14:48 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2012-01-11 19:06 . 2012-02-15 06:46 3072 -c----w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2003-02-27 00:56 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-05 05:48 . 2012-01-05 05:48 138056 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-01-05 05:48 . 2012-01-05 05:48 138056 -c--a-w- c:\documents and settings\jacob\Application Data\PnkBstrK.sys
2012-01-05 05:47 . 2012-01-05 05:47 189248 -c--a-w- c:\windows\system32\PnkBstrB.exe
2012-01-05 05:47 . 2012-01-05 05:47 75136 -c--a-w- c:\windows\system32\PnkBstrA.exe
2012-03-24 16:23 . 2012-01-06 01:33 97208 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-08-25 03:52 . 2008-02-09 02:09 300400 -c--a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2001-08-18 12:00 94784 -csh--w- c:\windows\twain.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"H/PC Connection Agent"="d:\program files\WCESCOMM.EXE" [2003-04-22 413775]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ATIPTA"="atiptaxx.exe" [2001-09-27 245760]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^Banshee Screamer Alarm.lnk]
backup=c:\windows\pss\Banshee Screamer Alarm.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\jamie madigan\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=c:\windows\pss\PowerReg Scheduler.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2001-08-17 04:41 28738 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\WCESCOMM.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R1 MpKsl021a96a7;MpKsl021a96a7;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{46EF3325-94D1-4FAD-A075-54EFE096C43D}\MpKsl021a96a7.sys [3/28/2012 5:42 AM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/12/2011 12:01 AM 652360]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [11/9/2009 5:51 PM 37120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/12/2011 12:00 AM 20464]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 3:43 PM 204800]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\my documents\Garena Plus\Room\safedrv.sys --> d:\my documents\Garena Plus\Room\safedrv.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/26/2007 3:47 AM 272128]
S3 utmzmza3;AVZ Kernel Driver;c:\windows\system32\drivers\utmzmza3.sys [2/17/2011 5:59 PM 7168]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSL021A96A7
*NewlyCreated* - MPKSLC665E82A
*Deregistered* - aswMBR
*Deregistered* - MpKslc665e82a
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 17:23 452136 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-03-28 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-03-27 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-03-27 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-03-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.154.1.6 24.154.1.37 192.168.1.1 24.154.1.6 24.154.1.37
TCP: Interfaces\{870E5707-EBC8-4FEC-91A7-1C9F31F19226}: NameServer = 208.67.222.123,208.67.220.123
FF - ProfilePath - c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: extensions.autoDisableScopes - 14//iBryte
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-28 12:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,b3,52,cc,75,51,87,4a,8b,28,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,b3,52,cc,75,51,87,4a,8b,28,8c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
Completion time: 2012-03-28 12:08:15
ComboFix-quarantined-files.txt 2012-03-28 16:08
.
Pre-Run: 1,498,054,656 bytes free
Post-Run: 1,577,873,408 bytes free
.
- - End Of File - - 8DC4B7AEAD46D10AC7640E18C3A372D2
  • 0

#12
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

How is your computer?

You have two antivirus installed on your computer (Threat Fire and Microsoft Security Essentials). Please uninstall one of them because have both installed brings no benefit for computer security. Besides, They can compete with each other for system resources. More than one AV running has been known to produce false positives, and you end up with less protection.

# Step 1 #

Please, go to Start > Control Panel > and click in Add or Remove Programs. The remove these softwares below:
  • Threat Fire or Microsoft Security Essentials


# Step 2 #

Disable your antivirus software
  • Acess the Eset Online Scanner website using Internet Explorer navigator.
    http://www.eset.com/...escan/index.php
  • Do the scan according the image:

    Posted Image
  • At the end, check the box "Delete Quarantined files" and click in [FINISH]
  • It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
    PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
  • Post that log.

  • 0

#13
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hi and thank you that's weird I haven't had threat fire for years is it possible that that is hiding as a virus? I used the tool to completely remove threat fire. I will post eset logs thank you.

Edited by jamiemad1, 28 March 2012 - 03:28 PM.

  • 0

#14
jamiemad1

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a8d64ab3a4246542a644b4b7956862cf
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-29 02:01:04
# local_time=2012-03-28 10:01:04 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776534 100 100 74256771 173572292 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=70891
# found=0
# cleaned=0
# scan_time=16142
  • 0

#15
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts

Hi and thank you that's weird I haven't had threat fire for years is it possible that that is hiding as a virus? I used the tool to completely remove threat fire. I will post eset logs thank you.

No, this could be a entry left when the Antivirus was Uninstalled.

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:


Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled


Remove OTL

Run OTL and hit the Posted Image cleanup button. It will remove all the programmes we have used plus itself.



Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP