Free Malware Removal Forum

[wakeboarder540]

Hi, on my family's home computer I was having trouble with an email virus, I tired to fix it myself. I wanted to check with you guys to see if its all clean now.
My dad said his email address on hotmail.com was sending out a message to everyone in his address book with an almost blank page and a silly link to a website at the bottom.

So to fix the problem I restored to an earlier restore point, Deleted files with ATFcleaner, got the newest firefox version, uninstalled some junk in windows (couldn't get a few things though like trojan remover was missing files to uninstall and like wise for spy-bot search and destroy. but the trojan remover is still kinda installed though cause you can still see it in a menu when you right click a file "scan with trojan remover") I ran avast free anti virus in windows and the startup scanner, didn't find anything. We tested loggin into hotmail to see if it would send them but doesnt seem to be doing it but I want to be sure.

I'm so thankfull for your awesome help you have provided me in the past, and would appreciate a bit of help to make sure its clean. Thank you so much!

heres the HJT and uninstall log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:58:12 PM, on 09/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 4566545703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4566522093
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4275 bytes






-------------------------
--------------------------------------------------------------
---------------------------------------------------------------------------------------

heres an uninstall list as well

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe® Photoshop® Album Starter Edition 3.0
avast! Free Antivirus
AVI Codec Pack
Google Toolbar for Internet Explorer
Hamachi 0.9.9.9
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.10)
NVIDIA Drivers
PDF Settings
Security Update for Windows Media Player 9 (KB911565)
Soldier of Fortune II - Double Helix MP TEST
Windows Live Messenger
Windows XP Service Pack 3
ZoneAlarm

[Airscape]

Hello wakeboarder540,
My name is Airscape and I'll be helping you with your malware issues.
The logs can take a while to research. Please be patient with me.

Take note of the following before we begin.

• Post to this thread only and please stick to it until you are given an All Clean. Absence of symptoms does not mean that your computer is clean.
• The instructions I give are for This computer only and should not be used on any other pc.
• Do NOT run any tools/scans unless I unstruct you to.
• Try not to install/uninstall any programs while we work. This will add extra time researching your logs.
• If you have found assistance elsewhere and no longer require our help, please say so, and this topic will be closed.
• If you have any problems, please stop and ask before proceeding with any fixes.
• ALL USERS OF THIS FORUM MUST READ THIS FIRST

Note: As I'm still in training here at MRU everything I post must be checked by a teacher first. So there may be a slight delay in between posts.

Important:
Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any important files and folders that you don't want to lose before we start.

[wakeboarder540]

Thanks, I appreciate the help

So last night I downloaded and ran the malwarebyte anti malware software from this site and scanned computer and got like 12 infections cleared out then ran again full scan and didnt find anything, sorry this was before you posted and I was thinking it was worth a shot seing as the hotmail virus sending got worse ( now it sends even if the computer isnt on apparently) which is making me think perhaps someone compromised my dads account so we changed his account pass to a much stronger one. if someone hasnt got my dads account cracked then thats really bad cause that would mean that the virus is in hotmails server or in my modem right? Cause how can our computer be sending out ads-emails with a virus while the computer is turner off??? but then again my dad is the one who said it was turned off the times the messages said they were originally sent from (but maybe my dad left it on and forgot he tunred it on in the morning sort of thing, I dont know)
Sorry for any inconviences this may have caused you if you would like me to repost a new log/logs let me know

thanks again

[Airscape]

Sorry for the delay.

Can you please post the log from Malwarebytes showing infections found?
The log can be opened by going to Start > All programs > Malwarebytes' Anti-Malware > Logs > Log- date.txt

So we have a current registry backup, please do the following:

Backup the Registry:

• Please go here and download ERUNT.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\todays date which is acceptable.
• Make sure that at least the first two check boxes System registry and Current user registry are selected.
• Click on OK
• Then click on YES to create the backup folder.

Note: to restore the registry (if needed) goto the backup folder and start ERDNT.exe

--------------------------------------------------

Please download DDS ... by sUBs.
http://www.techsupportforum.com/sectools/sUBs/dds/
Save it to your desktop. Alternate download link:here.

1. Double click the tool to run it.
2. A black Screen will open... read the contents but do nothing.
3. When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
   Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
   if you close Notepad, before copying /pasting them... you will need to run DDS again.
4. Copy/paste both DDS.txt and Attach.txt reports in your next reply.
5. Once the reports have been posted, you can delete DDS from your desktop.

So please post back with the Malwarebytes log and both DDS logs.

Thanks

[wakeboarder540]

ok here you go, thanks again !

---------------------------------------
---------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4707

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

09/27/2010 6:20:41 PM
mbam-log-2010-09-27 (18-20-41).txt

Scan type: Quick scan
Objects scanned: 148811
Time elapsed: 13 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{a78bc6b0-af68-47c0-a2de-daadeff87df9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c63691f4-f245-4dde-b79e-ae9885e0102b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ee7c45b3-8f9b-4a78-be6e-aa3267d541be} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d9c28083-e28d-4ab3-b109-82758b1b484c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e95305fa-0407-4401-9240-793f8a6197c3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dpevflbg.bagl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SystemFeed (Rogue.MalwareCatcher) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\blphclavj0ea3n.scr.vir (PUP.FakeBlueScreen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SystemFeed\mctch.ini (Rogue.MalwareCatcher) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

---------------------------------------
---------------------------------------------------------------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/17/2006 6:48:53 PM
System Uptime: 9/29/2010 11:25:07 AM (6 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6330
Processor: AMD Athlon(tm) processor | Socket A | 900/100mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 19 GiB total, 6.609 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP540: 9/25/2010 3:40:54 PM - Installed Application
RP541: 9/25/2010 4:18:56 PM - avast! Free Antivirus Setup
RP542: 9/27/2010 6:39:24 AM - System Checkpoint
RP543: 9/29/2010 7:23:32 AM - System Checkpoint

==== Installed Programs ======================

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe® Photoshop® Album Starter Edition 3.0
avast! Free Antivirus
AVI Codec Pack
ERUNT 1.1j
Google Toolbar for Internet Explorer
Hamachi 0.9.9.9
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.10)
NVIDIA Drivers
PDF Settings
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Soldier of Fortune II - Double Helix MP TEST
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Messenger
Windows XP Service Pack 3
Yahoo! Toolbar
ZoneAlarm

==== Event Viewer Messages From Past Week ========

9/27/2010 6:24:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
9/27/2010 6:23:21 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/25/2010 9:47:54 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/25/2010 3:33:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
9/25/2010 11:14:12 AM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
9/25/2010 10:52:15 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
9/25/2010 10:26:14 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
9/25/2010 10:23:01 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 7.0.5730.13.
9/25/2010 10:23:01 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 7.0.5730.13.
9/25/2010 10:21:10 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 7.0.5730.13.

==== End Of File ===========================



---------------------------------------
---------------------------------------------------------------------------------------


DDS (Ver_10-03-17.01) - FAT32x86
Run by Admin at 17:52:03.53 on 09/29/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.258 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\f91vzhrx.default\
FF - prefs.js: browser.startup.homepage - www.hotmail.com | hxxp://www.lottolore.com/lotto649.html
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-25 165584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-9-25 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-25 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

=============== Created Last 30 ================

2010-09-27 23:59:11 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-09-27 23:58:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-27 23:58:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-27 23:58:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-27 23:58:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 04:48:52 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-09-26 03:51:21 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-09-26 03:51:20 0 d-----w- c:\windows\system32\ZoneLabs
2010-09-26 03:51:16 420800 ----a-w- c:\windows\system32\vsconfig.xml
2010-09-26 03:51:15 0 d-----w- c:\program files\Zone Labs
2010-09-25 22:19:23 38848 ----a-w- c:\windows\avastSS.scr
2010-09-25 22:18:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-25 16:56:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-16 12:45:46 179 ----a-w- c:\documents and settings\admin\Webmail.URL
2010-09-16 12:40:08 0 d-----w- c:\docume~1\admin\applic~1\TELUS
2010-09-16 12:40:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2010-09-16 12:39:55 0 d-----w- c:\docume~1\alluse~1\applic~1\TELUS

==================== Find3M ====================

2010-09-26 03:51:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat

============= FINISH: 17:52:58.35 ===============

[Airscape]

Hi wakeboarder,

What are your reasons for using Hamachi 0.9.9.9?

Please download This Tool and save it to your desktop.
Double click MGADiag.exe to run it.
Click Continue. The program will run, please be patient.
Click Resolve Now (if available) and follow the prompts.
Once done, click on Copy then Paste the contents into your next reply.

------------------------------------------------------

Download CKScanner by askey127 from here: http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Post back with the MGADiag.exe log, the CKFiles.txt log, and let me know what problems you still have.

Thanks

[Airscape]

Still with me?

[wakeboarder540]

yes im still with you, sorry about the wait, I've been very busy the past few days.
Im doing that stuff now and ill post the results shortly

[Airscape]

No problem... post when ready (make sure you answer my question and also tell me what problems the pc is having)

[wakeboarder540]

Ok sorry about the wait, hit a road block unfortunately... did not pass WGA check,
I got this computer given to me with it installed, it would seem with a non legit version

Where can I go to buy a legit XP pro digital license, I would like to purchase just the
license so I dont have to reinstall windows? Please advise me what to do to get a genuine license


Oh and I had hamachi installed to LAN with friends to play LAN PC games over the internet for some oldschool PC games that only would work if you were locally connected like at a lan party, hamatchi makes a virtual LAN so we could play over the internet
deleted it seeing as I dont use anymore
heres those logs:

----------------------------
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----



Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-CF3J6-Y8WRV-CBK7W
Windows Product Key Hash: ViNrHeRLYXVazmdrx15BFXxwo6g=
Windows Product ID: 55274-643-7152992-23962
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {BC5074BA-E267-45BC-ADDB-EA29689BD14A}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_025D1FF3-238-2_025D1FF3-258-3
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office XP Professional with FrontPage - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_025D1FF3-238-2_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BC5074BA-E267-45BC-ADDB-EA29689BD14A}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-CBK7W</PKey><PID>55274-643-7152992-23962</PID><PIDType>1</PIDType><SID>S-1-5-21-1645522239-261903793-839522115</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>MS-6330</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20020701000000.000000+000</Date></BIOS><HWID>C44A38CF01842059</HWID><UserLCID>2409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Mountain Standard Time(GMT-07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54185-640-0000025-17098</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="114"/><App Id="16" Version="10" Result="114"/><App Id="17" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 11E16:Action S.A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

[wakeboarder540]

oh and no problems have come up or emails sent out randomly since the malware bytes removed the files it found, but please advise on the genuine XP pro license as I would like computer to be legal and legit! thanks

[Airscape]

Unfortunately, as you have determined your OS is not genuine and neither is your Office.
Until this is rectified I will not be able to continue helping as per Forum Rules and this thread will be closed.

Please visit:

http://www.microsoft.com/genuine/

Click on Validate Windows. Then when validation fails - click on Get Genuine to find out how to get a WGA Kit.

Once you've made your operating system and your version of Office genuine, and if problems still persist you are more than welcome to start a new thread requesting assistance.

[muppy03]

This topic is now closed.

If you still require help,once you've made your operating system and your version of Office genuine please open a new thread in the Malware Removal forum, include a fresh HijackThis log, and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site,
please read Donations For Malware Removal