Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New "Virus Protection" program with pop ups on computer...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: New "Virus Protection" program with pop ups on computer...

Unread postby deltalima » September 10th, 2009, 4:50 pm

Hi sharon.anglin,

Could you please confirm that you ran the Malwarebytes scan in normal mode logged in as HP_Administrator, if you run in safe mode and then log in as a normal user you will not be able to access the log.

Please open Malwarebytes and click on the Logs tab and if the log is visible copy and paste the results into the next post.

Also please post the contents of the file C:\ComboFix.txt.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Re: New "Virus Protection" program with pop ups on computer...

Unread postby sharon.anglin » September 10th, 2009, 11:41 pm

I was in normal mode, not safe mode. I will check to see if I was logged in as HP_Adminstrator and let you know.

Thanks again,
Sharon
sharon.anglin
Regular Member
 
Posts: 15
Joined: August 29th, 2009, 2:58 pm

Re: New "Virus Protection" program with pop ups on computer...

Unread postby deltalima » September 11th, 2009, 1:19 pm

sharon.anglin wrote:I was in normal mode, not safe mode. I will check to see if I was logged in as HP_Adminstrator and let you know.


Please also give an update as to how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New "Virus Protection" program with pop ups on computer...

Unread postby sharon.anglin » September 11th, 2009, 5:18 pm

The computer runs better but there are still issues with the Internet. It is freezing up after a little while online.

I neede to purchase a new virus protection program. What do you recommend?
sharon.anglin
Regular Member
 
Posts: 15
Joined: August 29th, 2009, 2:58 pm

Re: New "Virus Protection" program with pop ups on computer...

Unread postby deltalima » September 12th, 2009, 9:29 am

Hi sharon.anglin,

Most of the free or commercial antivirus programs do a good job, before you make the choice I suggest we continue to investigate the problems with your system. Once we have the system clean we can make some quick and easy changes to your system to help prevent further problems.

If you wish to continue please try to locate the latest combofix log and then open Malwarbytes then click on the Logs tab and if the log is visible copy and paste the results into the next post along with the combofix log.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New "Virus Protection" program with pop ups on computer...

Unread postby sharon.anglin » September 15th, 2009, 7:30 pm

Here are the two logs that I was able to open manually. I ran it twice, therefore I am sending both logs.

Thanks again,
Sharon

Malwarebytes' Anti-Malware 1.40
Database version: 2763
Windows 5.1.2600 Service Pack 3

9/9/2009 5:52:28 PM
mbam-log-2009-09-09 (17-52-28).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 255826
Time elapsed: 56 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACodlnpnbeoc.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAComhgqtesep.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1038\A0078310.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1038\A0078311.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.



Log 2:

Malwarebytes' Anti-Malware 1.40
Database version: 2763
Windows 5.1.2600 Service Pack 3

9/9/2009 7:39:35 PM
mbam-log-2009-09-09 (19-39-35).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 256593
Time elapsed: 1 hour(s), 0 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
sharon.anglin
Regular Member
 
Posts: 15
Joined: August 29th, 2009, 2:58 pm

Re: New "Virus Protection" program with pop ups on computer...

Unread postby deltalima » September 16th, 2009, 5:55 am

Hi sharon.anglin,

Thank you for the Malwarebytes logs, the system is looking much better now. We really need to see the latest Combofix log. Please post the contents of C:\combofix.txt in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New "Virus Protection" program with pop ups on computer...

Unread postby sharon.anglin » September 16th, 2009, 7:59 pm

Here is the log for the last combofix that I ran.

Do I need to run it again?

Thanks,
Sharon

ComboFix 09-09-08.05 - HP_Administrator 09/08/2009 20:14.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1363 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\commy.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\program files\CouponPrinter.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\CouponPrinter.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-08 23:43 . 2009-09-08 23:43 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2009-09-03 00:03 . 2009-09-03 00:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-03 00:03 . 2009-09-03 00:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-02 23:37 . 2009-09-02 23:37 -------- d-----w- C:\rsit
2009-09-01 04:35 . 2008-06-17 19:02 8461312 ------w- c:\windows\system32\dllcache\shell32.dll
2009-09-01 04:04 . 2009-09-01 04:04 -------- d-----w- c:\program files\AskBarDis
2009-09-01 04:03 . 2009-09-01 04:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-01 04:03 . 2009-02-16 05:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-09-01 04:03 . 2009-02-16 05:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-09-01 04:03 . 2009-09-01 04:03 -------- d-----w- c:\windows\system32\ZoneLabs
2009-09-01 04:03 . 2009-09-01 04:03 -------- d-----w- c:\program files\Zone Labs
2009-09-01 04:03 . 2009-02-16 05:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-01 04:02 . 2009-09-07 16:35 -------- d-----w- c:\windows\Internet Logs
2009-09-01 03:37 . 2009-09-01 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-09-01 03:37 . 2009-09-01 03:37 -------- d-----w- c:\program files\IObit
2009-08-31 17:04 . 2009-08-31 17:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-31 04:12 . 2009-08-31 04:12 132752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-29 18:52 . 2009-08-29 18:52 -------- d-----w- c:\program files\Trend Micro
2009-08-29 18:26 . 2009-08-29 18:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Uniblue
2009-08-29 18:25 . 2009-09-01 04:26 -------- d-----w- c:\program files\Uniblue
2009-08-29 12:04 . 2009-08-29 12:04 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE
2009-08-29 08:12 . 2009-08-29 08:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-29 08:07 . 2009-08-29 08:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-29 08:07 . 2009-08-29 08:07 -------- d-sh--w- c:\documents and settings\HP_Administrator\IETldCache
2009-08-28 22:45 . 2009-08-28 22:46 -------- d-----w- c:\windows\ie8updates
2009-08-28 22:43 . 2009-08-28 22:44 -------- dc-h--w- c:\windows\ie8
2009-08-28 22:42 . 2009-08-28 22:46 -------- d--h--w- c:\windows\msdownld.tmp
2009-08-28 22:38 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 22:38 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 22:38 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 16:06 . 2009-09-01 03:47 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-13 02:26 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 16:09 . 2008-04-26 01:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 22:10 . 2007-02-19 20:44 -------- d-----w- c:\program files\Google
2009-09-03 22:09 . 2006-11-01 23:17 -------- d-----w- c:\program files\Yahoo!
2009-08-29 14:22 . 2007-03-20 17:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-13 03:24 . 2008-08-28 05:06 -------- d-----w- c:\program files\Safari
2009-08-05 16:54 . 2009-08-03 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-05 16:54 . 2009-08-03 02:04 -------- d-----w- c:\program files\NOS
2009-08-05 09:01 . 2004-08-10 04:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-25 17:45 . 2006-11-01 23:01 58472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 15:52 . 2009-07-25 15:52 -------- d-----w- c:\program files\MSBuild
2009-07-25 15:52 . 2009-07-25 15:52 -------- d-----w- c:\program files\Reference Assemblies
2009-07-17 19:01 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 16:24 . 2009-07-16 16:23 -------- d-----w- c:\program files\iTunes
2009-07-16 16:23 . 2006-12-31 18:53 -------- d-----w- c:\program files\iPod
2009-07-16 16:23 . 2007-09-11 13:02 -------- d-----w- c:\program files\Common Files\Apple
2009-07-14 04:43 . 2004-08-10 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 04:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 04:00 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 04:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 04:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 04:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 04:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 11:00 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 04:00 80896 ------w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 11:00 76288 ------w- c:\windows\system32\telnet.exe
2008-11-03 17:40 . 2007-06-16 21:10 1692672 --sha-w- c:\program files\Common Files\ehthumbs.db
2008-11-03 17:39 . 2006-12-31 23:08 4572672 --sha-w- c:\program files\ehthumbs.db
2008-04-26 01:58 . 2008-04-26 01:58 0 ------w- c:\program files\temp01
2006-12-13 03:12 . 2007-03-17 02:58 66648 ------w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-03-17 02:58 54352 ------w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-03-17 02:58 34928 ------w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-03-17 02:58 46696 ------w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-03-17 02:58 172120 ------w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 23:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-08-20 943888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-03 18085888]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-1-15 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-11-1 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [7/7/2008 8:59 PM 160792]
R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\DVDPlay\000.fcl [11/1/2006 6:02 PM 6656]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/31/2009 11:04 PM 464264]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/31/2009 10:37 PM 305936]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/1/2006 5:49 PM 82048]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [11/1/2006 5:48 PM 468768]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/7/2008 8:25 PM 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-08 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-10 00:12]

2009-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2482333230-614252947-3129099702-1007Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 23:20]

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2482333230-614252947-3129099702-1007UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 23:20]

2009-09-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-08-29 c:\windows\Tasks\Windows Defender.job
- c:\progra~1\WIFD1F~1\MSASCui.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cyfair.lonestar.edu/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: {C0B8E968-6A2B-4825-8029-A92874CA6BD5} - hxxp://www.mobilevisionplayer.com/mvp/p ... r_ocx.jpeg
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 20:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000005B7AC077696CE5E567C 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22D78859-9CE9-4b77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\DVDPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2482333230-614252947-3129099702-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(976)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-09-09 20:18
ComboFix-quarantined-files.txt 2009-09-09 01:18
ComboFix2.txt 2009-09-07 16:46

Pre-Run: 169,085,960,192 bytes free
Post-Run: 169,065,500,672 bytes free

256 --- E O F --- 2009-09-07 16:11
sharon.anglin
Regular Member
 
Posts: 15
Joined: August 29th, 2009, 2:58 pm

Re: New "Virus Protection" program with pop ups on computer...

Unread postby deltalima » September 17th, 2009, 4:28 pm

Hi sharon.anglin,

Thank you for the combofix log, there is no need to create a new one.

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
    Code: Select all
    :files
    c:\program files\AskBarDis
    
    :reg
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    
    [-HKEY_CLASSES_ROOT\clsid\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Now lets uninstall ComboFix:

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK

    Next we remove all used tools.

    • Double-click OTM.exe to run it.
    • Click o the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

    Please delete the GMER download named myoyklt6.exe from where you save it.

    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight HijackThis 2.0.2, click Remove.
    4. Close the Add or Remove Programs and the Control Panel windows.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

Please post the OTM log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New "Virus Protection" program with pop ups on computer...

Unread postby sharon.anglin » September 17th, 2009, 7:57 pm

Hello,

Here is the inofrmation in the RESULTS window of OTM:

========== FILES ==========
c:\program files\AskBarDis\bar\Settings moved successfully.
c:\program files\AskBarDis\bar\History moved successfully.
c:\program files\AskBarDis\bar\Cache moved successfully.
c:\program files\AskBarDis\bar\bin moved successfully.
c:\program files\AskBarDis\bar moved successfully.
c:\program files\AskBarDis moved successfully.
========== REGISTRY ==========
Registry key HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ not found.
Registry key HKEY_CLASSES_ROOT\clsid\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ not found.
Registry key HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4b1c1e16-6b34-430e-b074-5928eca4c150}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09172009_185541
sharon.anglin
Regular Member
 
Posts: 15
Joined: August 29th, 2009, 2:58 pm

Re: New "Virus Protection" program with pop ups on computer...

Unread postby deltalima » September 19th, 2009, 4:47 am

Hi sharon.anglin,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Set Correct Settings For Files That Should Be Hidden
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab
  • Under Hidden files and folders if necessary select Do not show hidden files and folders
  • If unchecked, checkHide protected operating system files (Recommended)
  • If necessary check Display content of system folders
  • If necessary Uncheck Hide file extensions for known file types
  • Click OK

Update your AntiVirus Software and keep your other programs up-to-date
It is vital that you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New "Virus Protection" program with pop ups on computer...

Unread postby silver » September 21st, 2009, 7:58 pm

This topic is now closed
We are pleased to have been of assistance.

If you have been helped and wish to donate with the costs of this volunteer site, you can do so using this link
Donations For Malware Removal
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 506 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware