Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Non-stop security warning popups make computer unuseable

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » April 27th, 2010, 12:24 am

Uninstalled Avira and installed Avast. Cleaned out old Adobe and Java stuff, Re-installed updated Adobe. Updated JRE won't install. Getting an error about "can't install with current internet settings"...

Ran OTM, pasted in the instructions but then accidentally hit Clean Up instead of move it (oops!!!). I re-ran it with instruction and hit Move It second time.

logs:

All processes killed
========== PROCESSES ==========
========== FILES ==========
LoadLibrary failed for C:\Documents and Settings\Chandler Crow\Local Settings\Application Data\2991590366.dll
File move failed. C:\Documents and Settings\Chandler Crow\Local Settings\Application Data\2991590366.dll scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Chandler Crow
->Temp folder emptied: 108577578 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 221949 bytes
->FireFox cache emptied: 38268397 bytes
->Flash cache emptied: 2521 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: TEMP(2)

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 702072 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 88179488 bytes

Total Files Cleaned = 225.00 mb


OTM by OldTimer - Version 3.1.10.2 log created on 04262010_230747


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:19 PM, on 4/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5860 bytes
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am
Advertisement
Register to Remove

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » April 27th, 2010, 3:59 pm

Updated JRE won't install. Getting an error about "can't install with current internet settings"...


Update to the latest Internet Explorer 8 from Here

Then try running the Java update again Here

Then update Avast, do a full scan, and fix/remove anything it finds.

Kaspersky online scan
Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases

  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
This online tutorial will help explain how to use the aforementioned online scan.

How is the pc running now? Let me know if there's any further problems.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » April 28th, 2010, 12:38 am

Followed all the instructions. Updated browser to latest version (mozilla, we don't use explorer) Updated Java and Adobe. Took off Avira and installed Avast, updated db and ran full scan. It found two infected files. I cleaned them with Avast.

Now I'm trying to run Kaspersky but I keep getting a pop up with this Java error: "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."

There is no interruption with my internet connection. Other computers running on it no problem...

Not sure what to do next.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:48 PM, on 4/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6465 bytes
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » April 29th, 2010, 2:06 pm

Hi,

Please can you post any logs/infomation from the Avast scan. It's important I find out what was removed.

Also, it's very important that you update to the latest Internet Explorer even if you don't use it. If it's installed on your pc then it will contain some security risks.
http://www.microsoft.com/windows/intern ... fault.aspx

---------------------

Please download ATF Cleaner to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • Note: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

--------------------------------------

Disable Avast for this scan:
"Right click on the avast! icon in system tray and choose (Stop On-Access Protection)"

Eset online scanner

You can use either Internet Explorer or Mozilla FireFox for this scan.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic along with any logs/information from the Avast scan.

Remember to Enable Avast when the scan finishes.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » May 1st, 2010, 11:55 am

Updated Explorer. Ran ATF cleaner. The ESET scanner won't run properly, not from Firefox or IE. after accepting license terms, it goes to download components, then i get error: "Can not get update. Is proxy configured?" I disabled Avast before running and followed all our instructions, not sure what the problem is...

I can not, for the life of me, figure out how to export or copy to text file the Avast scan log. Really bad UI on the new version of that program IMHO. I tried taking a screen grab but it seems too large to attach here... but anyway 2 threats found and removed by Avast, I'll type it out:

Threat: Win32:Hilot [Trj] -- A0048405.dll
Threat: Win32:MalOb-AL [Cryp] -- A0048407.dll

Both were found in C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP543\
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » May 2nd, 2010, 8:53 pm

I would like to check a few more things, please continue to follow this topic until I say your pc is clean.

Download a new version of Gmer and run it. There is some settings I need you to change, please follow carefully:


Gmer
Download GMER Rootkit Scanner from here & save it to your desktop.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. UNCHECK the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Do not run any programs while Gmer is running.

NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
  • Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
  • Double click the gmer.exe file
  • The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
  • After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your reply
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » May 3rd, 2010, 12:59 pm

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-03 11:57:44
Windows 5.1.2600 Service Pack 3
Running: spnzfgzb.exe; Driver: C:\DOCUME~1\CHANDL~1\LOCALS~1\Temp\agtyqfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE0E6C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE0E6AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE0E7078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE0E6FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE0E669A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE0E6B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE0E65DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE0E663E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE0E6CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE0E7146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE0E6C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE0E6DFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEE0F350A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEE0F332E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE0F3468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP EE0F346C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP EE0F3332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP EE0EF4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP EE0F097E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP EE0F350E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6747EBF]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???:?:???:?????@?7?@?7???:?:?:?:?:?:?????????D?D?????:????????????????????????????(?ms_wzcsvc????????????(?ms_steelhead????????????8?ms_rassrv????????????(?ms_rasman????????????8?ms_rascli??????????????ms_server??????????????ms_psched????????????(?ms_gpc????????????(?ms_alg????????????(?ms_netbios????????????(?ms_rsvp??????????????ms_msclient??????????????ms_webclient????????????(?ms_pppoe????????????8?ms_pptp????????????8?ms_l2tp????????????(?ms_ndiswan????????????(?ms_ndisuio????????????8?ms_netbt_smb????????????(?ms_netbt??????????????ms_tcpip??????????????usb\vid_07b2&pid_5100?USB\VID_07B2&PID_5100\000B06F69D35?????????????pci\ven_14e4&dev_4318&subsys_1355103c?PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&13826118&1&10A4?????????????v1394\nic1394?V1394\NIC1394\7919417D663F0200?????????????pci\ven_10ec&dev_8139&subsys_30a4103c?PCI\VEN_10EC&DEV_8139&SUBSYS_30A4103C&REV_10\4&13826118&1&30A4???????????)?ms_ndiswanip?ROOT\MS_NDISWANIP\0000???????????)?ms_ptiminiport?ROOT\MS_PTIMINIPORT\0000???????????)?ms_pp

---- EOF - GMER 1.0.15 ----
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » May 4th, 2010, 2:55 pm

Please try restarting your computer (if not done so already) and running the scan again. Other than that your logs are looking clean so far. How is the pc running now?


Disable Avast for this scan:
"Right click on the avast! icon in system tray and choose (Stop On-Access Protection)"

Eset online scanner

You can use either Internet Explorer or Mozilla FireFox for this scan.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Remember to Enable Avast when the scan finishes.

---------------------------------------------------

If that doesnt work try this::

Please run the F-Secure Online Scanner
Note: Use Internet Explorer for this scan.
Accept the License Agreement and click Run Check.
When prompted agree to the Active X install.
Click Full Scan and then click Start.
It will then start downloading files, this may take a while.
The scan may take hours to complete. Please let it finish completely.
When the scan completes, click the Show Report button.
Copy/paste the results into your next reply.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » May 4th, 2010, 8:24 pm

Rebooted. Re-ran gmer. Logs below. ESET scanner does not work in firefox, exact same "can not get download, is proxy configured?" error from previous attempt. Tried in Explorer, but IE 8 (recently updated according to your instructions!) refuses to acknowledge connection to the internet. I guess I'll try re-installing/updating. What a great browser.

The other online scanner you mention, who knows, because IE can't recognize connection to net.
this is getting very frustrating.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-04 19:18:16
Windows 5.1.2600 Service Pack 3
Running: spnzfgzb.exe; Driver: C:\DOCUME~1\CHANDL~1\LOCALS~1\Temp\agtyqfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE9A0C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE9A0AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE9A1078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE9A0FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE9A069A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE9A0B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE9A05DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE9A063E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE9A0CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE9A1146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE9A0C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE9A0DFE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6FEDEBF]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1620] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Chandler Crow\Local Settings\Application Data\Mozilla\Firefox\Profiles\npp6qhyu.default\Cache\776E7A1Bd01 36052 bytes
File C:\Documents and Settings\Chandler Crow\Local Settings\Application Data\Mozilla\Firefox\Profiles\npp6qhyu.default\Cache\B8CA068Dd01 561130 bytes
File C:\Documents and Settings\Chandler Crow\Local Settings\Application Data\Mozilla\Firefox\Profiles\npp6qhyu.default\Cache\6F4F16F2d01 35859 bytes
File C:\Documents and Settings\Chandler Crow\Local Settings\Application Data\Mozilla\Firefox\Profiles\npp6qhyu.default\Cache\D642EB3Ed01 450902 bytes

---- EOF - GMER 1.0.15 ----
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » May 5th, 2010, 12:22 pm

Hi,

Please run the following tool and post it's log.


Download/Run ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe


**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please post the following in your next reply:
C:\ComboFix.txt
Update on how the computer is running
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » May 5th, 2010, 5:27 pm

PC running fine in terms of original issue no longer occurring (security popups). I don't know why a fresh, updated version of IE won't recognize the internet connection, but I don't really care as I do not use it.

Here is the combofix log:

ComboFix 10-05-04.06 - Chandler Crow 05/05/2010 13:05:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.617 [GMT -5:00]
Running from: c:\documents and settings\Chandler Crow\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chandler Crow\Desktop\Internet Security 2010.lnk
c:\documents and settings\Chandler Crow\Local Settings\Application Data\{18979095-4D1E-47A2-AF5E-4FA27C6CD910}
c:\documents and settings\Chandler Crow\Local Settings\Application Data\{18979095-4D1E-47A2-AF5E-4FA27C6CD910}\chrome.manifest
c:\documents and settings\Chandler Crow\Local Settings\Application Data\{18979095-4D1E-47A2-AF5E-4FA27C6CD910}\chrome\content\_cfg.js
c:\documents and settings\Chandler Crow\Local Settings\Application Data\{18979095-4D1E-47A2-AF5E-4FA27C6CD910}\chrome\content\overlay.xul
c:\documents and settings\Chandler Crow\Local Settings\Application Data\{18979095-4D1E-47A2-AF5E-4FA27C6CD910}\install.rdf
c:\program files\WindowsUpdate
c:\windows\nvDrv.sy
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 08:01 . 2010-05-05 08:02 -------- d-----w- c:\windows\ie8updates
2010-05-05 08:00 . 2010-05-05 08:00 -------- d-----w- c:\windows\LastGood
2010-05-05 00:33 . 2010-05-05 00:35 -------- dc-h--w- c:\windows\ie8
2010-05-04 22:25 . 2010-05-04 22:25 -------- d-sh--w- c:\documents and settings\Chandler Crow\PrivacIE
2010-05-04 22:13 . 2010-05-04 22:13 -------- d-sh--w- c:\documents and settings\Chandler Crow\IETldCache
2010-05-02 01:47 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-05-02 01:47 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-01 04:50 . 2010-05-01 04:50 -------- d-----w- c:\program files\ESET
2010-04-27 21:01 . 2010-04-27 21:01 503808 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651b128d-n\msvcp71.dll
2010-04-27 21:01 . 2010-04-27 21:01 499712 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651b128d-n\jmc.dll
2010-04-27 21:01 . 2010-04-27 21:01 348160 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651b128d-n\msvcr71.dll
2010-04-27 21:00 . 2010-04-27 21:00 61440 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-552bef8b-n\decora-sse.dll
2010-04-27 21:00 . 2010-04-27 21:00 12800 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-552bef8b-n\decora-d3d.dll
2010-04-27 21:00 . 2010-04-27 21:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 04:07 . 2010-04-27 04:07 -------- d-----w- C:\_OTM
2010-04-27 03:33 . 2010-04-27 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-27 03:32 . 2010-01-11 00:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-04-27 03:32 . 2010-04-27 03:32 -------- d-----w- c:\program files\SpywareBlaster
2010-04-27 03:31 . 2010-04-27 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-27 03:26 . 2010-05-01 04:37 -------- d-----w- c:\documents and settings\Chandler Crow\Local Settings\Application Data\Temp
2010-04-27 03:26 . 2010-04-27 03:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-27 03:26 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-27 03:26 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-27 03:26 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-27 03:26 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-27 03:26 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-27 03:26 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-27 03:26 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-27 03:26 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-27 03:26 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-27 03:25 . 2010-04-27 03:25 -------- d-----w- c:\program files\Alwil Software
2010-04-27 03:25 . 2010-04-27 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-20 14:13 . 2010-04-20 14:13 -------- d-----w- c:\program files\ERUNT
2010-04-18 18:39 . 2010-04-18 18:39 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-11 16:31 . 2010-04-11 16:31 -------- d-----w- c:\program files\Trend Micro
2010-04-11 16:22 . 2010-04-11 16:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 19:23 . 2008-11-14 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-27 21:00 . 2006-04-13 12:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-27 21:00 . 2006-04-13 12:50 -------- d-----w- c:\program files\Java
2010-04-27 04:10 . 2006-04-13 13:56 63312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 04:03 . 2006-07-31 01:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-27 03:55 . 2006-04-13 13:31 -------- d-----w- c:\program files\WildTangent
2010-04-27 03:29 . 2006-04-13 13:41 -------- d-----w- c:\program files\Google
2010-04-20 14:27 . 2008-12-20 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 15:31 . 2010-01-15 00:46 0 ----a-w- c:\windows\Enisocelozu.bin
2010-04-07 07:53 . 2010-01-15 00:46 120 ----a-w- c:\windows\Bwovigejimiji.dat
2010-04-06 23:19 . 2006-07-30 03:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-04 17:43 . 2009-10-09 23:33 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 05:46 . 2008-12-20 22:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2008-12-20 22:23 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15 . 2004-08-10 15:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-10 15:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 15:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-10 15:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-10 15:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-10 15:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 15:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 10:26 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 10:26 PM 19024]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2010 10:26 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-14 05:08]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 03:26]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 03:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\Chandler Crow\Application Data\Mozilla\Firefox\Profiles\npp6qhyu.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\Chandler Crow\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Chandler Crow\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 13:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?`???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-05 13:10:36
ComboFix-quarantined-files.txt 2010-05-05 18:10

Pre-Run: 40,581,091,328 bytes free
Post-Run: 40,547,622,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 4F44346AE1EC479EA8A70354445CB7DC
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » May 5th, 2010, 10:38 pm

Try this:
In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.



Please right-click on your copy of ComboFix.exe and copy/paste it onto the Desktop before doing the following:

Make sure the security programs are still disabled.

Run CFScript
  • Click > Start > Run > type Notepad > click OK
  • Copy/Paste the following text inside the code box into Notepad: (don't include the word code)

    Code: Select all
    KillAll::
    File::
    c:\windows\Enisocelozu.bin
    c:\windows\Bwovigejimiji.dat
    
    Folder::
    c:\program files\WildTangent
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555

  • Goto File > Save as... and save it CFScript.txt
  • Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.

    Image
  • The tool may require a reboot - this is normal.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back with the ComboFix log and try launching the Internet Explorer browser and see if it loads.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » May 6th, 2010, 4:49 pm

Started IE8 to follow your instructions about proxy settings, but before i did anything, it is now recognizing internet connection and functioning properly... so perhaps the last combofix scan solved that problem?

Ran custom combofix script, as instructed, here is the log:

ComboFix 10-05-04.06 - Chandler Crow 05/06/2010 14:28:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.510 [GMT -5:00]
Running from: c:\documents and settings\Chandler Crow\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chandler Crow\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\Bwovigejimiji.dat"
"c:\windows\Enisocelozu.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WildTangent
c:\program files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\userdata\highscores.dat
c:\program files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\userdata\user1.dat
c:\program files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\userdata\users.dat
c:\program files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\userdata\highscores.dat
c:\program files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\userdata\user1.dat
c:\program files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\userdata\users.dat
c:\program files\WildTangent\Apps\GameChannel\Games\103EFD47-9F2C-4490-95DD-AE6C442AFB92\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\320F055A-570F-4335-B026-16A836DB9549\config.dat
c:\program files\WildTangent\Apps\GameChannel\Games\320F055A-570F-4335-B026-16A836DB9549\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Chuzzle.exe.bak
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Profiles\Chang\INFO.CFG
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Profiles\Chang\SAVEGAME-CHUZZLEPUZZLE.DAT
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Profiles\config.cfg
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Profiles\HSChuzzlePuzzle.cfg
c:\program files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Profiles\HSSpeedChuzzle.cfg
c:\program files\WildTangent\Apps\GameChannel\Games\384E0BF4-1E1F-45A6-B60E-42144A3F15CD\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\384E0BF4-1E1F-45A6-B60E-42144A3F15CD\options.dat
c:\program files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\chandler.plre
c:\program files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\players.cfge
c:\program files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\scores.cfge
c:\program files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\stderr.txt
c:\program files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\stdout.txt
c:\program files\WildTangent\Apps\GameChannel\Games\5658FB14-16A4-4DAE-946B-1457BE31572E\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\buyPage.js
c:\program files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\clientOptions.dat
c:\program files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\5DE4D54F-AA79-43A4-9C8A-C173E7E2B025\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\6E377D95-DF37-4E67-B64B-68C314600BCB\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\config.dat
c:\program files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\SAVE\0.FFD
c:\program files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\thumb.DDS
c:\program files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\Big Kahuna Reef.exe
c:\program files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\Big Kahuna Reef.exe.bak
c:\program files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\7A940E33-6993-404B-ABA6-ED62E8FBE615\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\settings.dat
c:\program files\WildTangent\Apps\GameChannel\Games\7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\9F3399B2-9ED6-4339-84A2-686432638B86\data.dat
c:\program files\WildTangent\Apps\GameChannel\Games\9F3399B2-9ED6-4339-84A2-686432638B86\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\settings.dat
c:\program files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\ws.js
c:\program files\WildTangent\Apps\GameChannel\Games\B0769D17-E72A-4E87-A83F-1F7A3F080008\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\C264D692-8E15-4141-96A2-5621332E5DD0\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\D2E44AA4-8665-4490-A6C9-2D0744B47B27\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\config.dat
c:\program files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\saves\bitchybitch.sav
c:\program files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\saves\dr chang.sav
c:\program files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\saves\HSRC.hsc
c:\program files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\saves\Player.sav
c:\program files\WildTangent\Apps\GameChannel\Games\E332F38A-75F6-4EF2-88CC-246E8A1CB5D7\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\E76A7EFF-7758-49EE-B3FA-9699830A2D6B\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\dedr-ewr-20060801-000156.dat
c:\program files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\options.dat
c:\program files\WildTangent\Apps\GameChannel\Games\E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2\settings
c:\program files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\PuzzleExpress.dat
c:\program files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\PuzzleExpress.exe
c:\program files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\PuzzleExpress.ini
c:\program files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\def.dat
c:\program files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\FlipWords.dat
c:\program files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\FlipWords.ini
c:\program files\WildTangent\Apps\hpuninstall.exe
c:\program files\WildTangent\Apps\icon.ico
c:\program files\WildTangent\Apps\onplay.exe
c:\program files\WildTangent\Apps\sm_contests.ico
c:\program files\WildTangent\Apps\sm_wildboards.ico
c:\program files\WildTangent\Components\wtStreamProcessing0300.dll
c:\program files\WildTangent\LicenseStores\WT\009F1FAA-D770-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\029DCD25-76A5-48e8-9DC1-062D2834960A.wtlic
c:\program files\WildTangent\LicenseStores\WT\058D8AB2-0002-4963-8BEF-C53407A55AB8.wtlic
c:\program files\WildTangent\LicenseStores\WT\06D94514-BD83-426f-AE01-F11119569E09.wtlic
c:\program files\WildTangent\LicenseStores\WT\0DF4FEC0-86B4-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\13E38CFC-81C8-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\255A0496-8F58-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\262A5CE3-8F27-44D5-A8A1-6A7B46A46B1A.wtlic
c:\program files\WildTangent\LicenseStores\WT\2D7D1648-86AE-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\4B39DF83-1063-4fcc-B1B4-0E116120D387.wtlic
c:\program files\WildTangent\LicenseStores\WT\4DE823A2-D837-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\5C360522-2C85-4f21-AE16-6A9418BBA671.wtlic
c:\program files\WildTangent\LicenseStores\WT\5F7E059C-CAEF-43ad-9378-DD87D8B6B154.wtlic
c:\program files\WildTangent\LicenseStores\WT\663B3761-603B-4a7f-84C3-E4B22FC55514.wtlic
c:\program files\WildTangent\LicenseStores\WT\66DA97C0-81C8-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\6DEEEEDF-6404-4f02-AE07-4F4CB1A3D5F6.wtlic
c:\program files\WildTangent\LicenseStores\WT\6E19C296-7722-4e20-A653-2CEA4DCBF293.wtlic
c:\program files\WildTangent\LicenseStores\WT\7B08ACF6-875D-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\7C0D326A-D772-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\81CB1406-81C8-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\A7456F43-E255-4c09-90BD-81EC82890C69.wtlic
c:\program files\WildTangent\LicenseStores\WT\A89F520A-81C7-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\B2F422C1-3F25-4731-9CC9-1EBD63C09201.wtlic
c:\program files\WildTangent\LicenseStores\WT\C14E1B68-8F57-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\D1822716-86AD-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\D1FBFB02-8F56-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\D36E5BE2-81C8-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\F3B5F74E-D848-11D9-8BDE-F66BAD1E3F3A.wtlic
c:\program files\WildTangent\LicenseStores\WT\FAE5F8B1-E98F-48ca-A6DA-5516E6011963.wtlic
c:\windows\Bwovigejimiji.dat
c:\windows\Enisocelozu.bin

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-05 08:01 . 2010-05-05 08:02 -------- d-----w- c:\windows\ie8updates
2010-05-05 00:33 . 2010-05-05 00:35 -------- dc-h--w- c:\windows\ie8
2010-05-04 22:25 . 2010-05-04 22:25 -------- d-sh--w- c:\documents and settings\Chandler Crow\PrivacIE
2010-05-04 22:13 . 2010-05-04 22:13 -------- d-sh--w- c:\documents and settings\Chandler Crow\IETldCache
2010-05-02 01:47 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-05-02 01:47 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-01 04:50 . 2010-05-01 04:50 -------- d-----w- c:\program files\ESET
2010-04-27 21:01 . 2010-04-27 21:01 503808 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651b128d-n\msvcp71.dll
2010-04-27 21:01 . 2010-04-27 21:01 499712 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651b128d-n\jmc.dll
2010-04-27 21:01 . 2010-04-27 21:01 348160 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651b128d-n\msvcr71.dll
2010-04-27 21:00 . 2010-04-27 21:00 61440 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-552bef8b-n\decora-sse.dll
2010-04-27 21:00 . 2010-04-27 21:00 12800 ----a-w- c:\documents and settings\Chandler Crow\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-552bef8b-n\decora-d3d.dll
2010-04-27 21:00 . 2010-04-27 21:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 04:07 . 2010-04-27 04:07 -------- d-----w- C:\_OTM
2010-04-27 03:33 . 2010-04-27 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-27 03:32 . 2010-01-11 00:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-04-27 03:32 . 2010-04-27 03:32 -------- d-----w- c:\program files\SpywareBlaster
2010-04-27 03:31 . 2010-04-27 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-27 03:26 . 2010-05-01 04:37 -------- d-----w- c:\documents and settings\Chandler Crow\Local Settings\Application Data\Temp
2010-04-27 03:26 . 2010-04-27 03:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-27 03:26 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-27 03:26 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-27 03:26 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-27 03:26 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-27 03:26 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-27 03:26 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-27 03:26 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-27 03:26 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-27 03:26 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-27 03:25 . 2010-04-27 03:25 -------- d-----w- c:\program files\Alwil Software
2010-04-27 03:25 . 2010-04-27 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-20 14:13 . 2010-04-20 14:13 -------- d-----w- c:\program files\ERUNT
2010-04-18 18:39 . 2010-04-18 18:39 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-11 16:31 . 2010-04-11 16:31 -------- d-----w- c:\program files\Trend Micro
2010-04-11 16:22 . 2010-04-11 16:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 20:24 . 2008-11-14 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-27 21:00 . 2006-04-13 12:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-27 21:00 . 2006-04-13 12:50 -------- d-----w- c:\program files\Java
2010-04-27 04:10 . 2006-04-13 13:56 63312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 04:03 . 2006-07-31 01:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-27 03:29 . 2006-04-13 13:41 -------- d-----w- c:\program files\Google
2010-04-20 14:27 . 2008-12-20 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 23:19 . 2006-07-30 03:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-04 17:43 . 2009-10-09 23:33 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 05:46 . 2008-12-20 22:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2008-12-20 22:23 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15 . 2004-08-10 15:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-10 15:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 15:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-10 15:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-10 15:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-10 15:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 15:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 10:26 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 10:26 PM 19024]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2010 10:26 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-14 05:08]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 03:26]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 03:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Chandler Crow\Application Data\Mozilla\Firefox\Profiles\npp6qhyu.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\Chandler Crow\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Chandler Crow\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HP Game Console - c:\program files\WildTangent\Apps\hpuninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 14:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-05-06 14:38:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 19:38
ComboFix2.txt 2010-05-05 18:10

Pre-Run: 40,607,485,952 bytes free
Post-Run: 40,568,492,032 bytes free

- - End Of File - - BC41834EB109DB2CAB42294488DF9A22
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am

Re: Non-stop security warning popups make computer unuseable

Unread postby Airscape » May 7th, 2010, 5:42 am

Well done your pc now appears to be Malware free. Please advise on any problems you still have.

Don't forget to re-enable any protection programs you may have disabled during the fix.

Please delete the Gmer random.exe file. It should look like this spnzfgzb.exe on your desktop.
Remove the Kaspersky/Eset online scanners through Control Panel > Add/Remove Programs (if present)

If you haven't already done so, open Malwarebytes' Anti-Malware, click Quarantine then Delete All. Close the program.

Uninstall ComboFix
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image

The above will implement some cleanup procedures as well as reset System Restore points.

Clean up with OTC
  • Download OTC by Old Timer here and save it to your desktop.
  • Double click on OTC.exe. Click on CleanUp!.
  • You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
  • It will restart your computer automatically. If it doesn't, please restart your computer manually.

The above will remove the majority of tools/logs used in the removal process. If any still exist, please delete them yourself.

--------------------------------------------------

Now some advice for keeping your pc safe and secure for the future:

  • Malwarebytes' Anti-Malware
    This is an excellent application and I advise you keep this installed. Check for updates and run a scan once a week.
  • Other installed security software
    Your presently installed security application Avast automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing an internet connection is active. I advise you also run a complete scan with this also once per week.
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note:The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit Here
  • Analog X Script Defender
    This will prevent malicious scripts from running on your pc by giving you the option to allow a script or not. Download it Here
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is Here and for more information regarding host files read Here.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it, and if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Non-stop security warning popups make computer unuseable

Unread postby camcrow » May 8th, 2010, 10:56 pm

Removed everything and cleaned according to instructions above. I appreciate all your persistent help. I will follow your recommendations. Thank you.
camcrow
Regular Member
 
Posts: 26
Joined: January 30th, 2010, 1:45 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware