Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Do I have a problem?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Do I have a problem?

Unread postby andyspeake » March 10th, 2010, 12:48 pm

Hi,

Reset Hosts File

Please visit this link by microsoft:
How do I reset the hosts file back to the default?
  • Under the "Fix it for me" section, click the "Fix it" button or the "Fix this problem link below the button.
  • Click Run to run the tool.
  • Read and Accept the License terms.
  • It will then run...
  • When finished it will say "This Microsoft Fix has been proccessed" if the fix was successful. Then Close the Tool
  • If asked to restart the computer, choose "Yes" to restart.

Let me know if this went OK.

I'd like you to check (a file/some files) for Viruses.
C:\WINDOWS\system32\rundll32.exe.Z-missing.txt
C:\WINDOWS\system32\drivers\aniwcddi.sys

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please. Some of them may not be found!

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

So please post bacK:
Did the Hosts Reset go well?
File Uploads Results
ESET log.txt


Thanks.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland
Advertisement
Register to Remove

Re: Do I have a problem?

Unread postby jerryc126 » March 11th, 2010, 12:56 am

Andrew, Host reset occurred without incident.

Virus Total Scan results:
File rundll32.exe.Z-missing.txt received on 2009.11.01 17:48:35 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.01 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.11.01 -
Avast 4.8.1351.0 2009.11.01 -
AVG 8.5.0.423 2009.11.01 -
BitDefender 7.2 2009.11.01 -
CAT-QuickHeal 10.00 2009.10.31 -
ClamAV 0.94.1 2009.11.01 -
Comodo 2806 2009.11.01 -
DrWeb 5.0.0.12182 2009.11.01 -
eSafe 7.0.17.0 2009.11.01 -
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.11.01 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.11.01 -
GData 19 2009.11.01 -
Ikarus T3.1.1.72.0 2009.11.01 -
Jiangmin 11.0.800 2009.11.01 -
K7AntiVirus 7.10.885 2009.10.31 -
Kaspersky 7.0.0.125 2009.11.01 -
McAfee 5789 2009.11.01 -
McAfee+Artemis 5789 2009.11.01 -
McAfee-GW-Edition 6.8.5 2009.11.01 -
Microsoft 1.5202 2009.11.01 -
NOD32 4562 2009.11.01 -
Norman 6.03.02 2009.11.01 -
nProtect 2009.1.8.0 2009.11.01 -
Panda 10.0.2.2 2009.11.01 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.11.01 -
Rising 21.53.62.00 2009.11.01 -
Sophos 4.47.0 2009.11.01 -
Sunbelt 3.2.1858.2 2009.11.01 -
Symantec 1.4.4.12 2009.11.01 -
TheHacker 6.5.0.2.058 2009.10.31 -
TrendMicro 8.950.0.1094 2009.11.01 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.31 -
Additional information
File size: 8933 bytes
MD5 : 28a1d6b25d8d137923d4b71613ee816f
SHA1 : 5dc27dd4b0ae38ba077d0421538c6edfce3f672d
SHA256: a2e2c6001bbcb9692c1fd742c88071336687bb30dae6b6262ce9be87e84437fb
TrID : File type identification
Unknown!
ssdeep: 192:QIVDWbGKrEYDnlMl7Qiawj5ycwPHxaICTK+lgxQG8CndZt3caI+7mn:fWphzlMlUEDwPRaIC1GQQndZt3cm8
PEiD : -
RDS : NSRL Reference Data Set

ESET Results:

C:\Documents and Settings\jerryc126\My Documents\Downloads\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
E:\My Documents 030810\Downloads\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
E:\My Documents 041309\Downloads\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
E:\My Documents 070409\Downloads\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
E:\My Documents 102108\Downloads\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
E:\My Documents 123108\Downloads\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
E:\Thumbdrive Backup\Utilities\eb51setup.exe a variant of Win32/Urlbot.NAD trojan
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 11th, 2010, 8:40 am

Hi Jerry,

Could you also upload this file to check for virus's...
C:\WINDOWS\system32\drivers\aniwcddi.sys
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Do I have a problem?

Unread postby jerryc126 » March 11th, 2010, 9:10 am

That file was not found. I manually looked for it and it is not there.
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 12th, 2010, 6:50 am

Hi,

Please ensure Drive E: is inserted, your thumb drive, before running this fix.

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    C:\Documents and Settings\jerryc126\My Documents\Downloads\eb51setup.exe
    E:\My Documents 030810\Downloads\eb51setup.exe
    E:\My Documents 041309\Downloads\eb51setup.exe
    E:\My Documents 070409\Downloads\eb51setup.exe
    E:\My Documents 102108\Downloads\eb51setup.exe
    E:\My Documents 123108\Downloads\eb51setup.exe
    E:\Thumbdrive Backup\Utilities\eb51setup.exe 
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Run Malwarebytes' Anti-Malware
  • Please Open Malwarebytes Anti-malware which you already have on your system.
  • Once the program has loaded choose the "Update" tab and then "check for updates".
  • Once updated, within the "Scanner" tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

So please post back:
CFScript Results
MBAM Results
Fresh HJT log

Thanks.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Do I have a problem?

Unread postby jerryc126 » March 12th, 2010, 8:38 am

The program that is showing as a "trojan" is a program that allows me to monitor my daughter's computer here in the house. It captures every url, keystroke, and email that she uses. It is called eblaster from spectorsoft. http://www.spectorsoft.com/
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 12th, 2010, 11:30 am

Hi,

The keylogger program you have on this machine may contain strains of malware. If you wish to remove it, you can do so.

Run Malwarebytes' Anti-Malware
  • Please Open Malwarebytes Anti-malware which you already have on your system.
  • Once the program has loaded choose the "Update" tab and then "check for updates".
  • Once updated within the "Scanner" tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.
  • Go to Java Site
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u18-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

So please post back:
MBAM Results
Fresh HJT log
Please let me know how your computer is running now?

Thanks.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Do I have a problem?

Unread postby jerryc126 » March 13th, 2010, 12:15 pm

Hi Andrew,

Here is the MBAM Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3862
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/13/2010 11:09:49 AM
mbam-log-2010-03-13 (11-09-45).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 305431
Time elapsed: 1 hour(s), 18 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\jerryc126\My Documents\Trading\NexGen Folder\Nexgen Setup\keygen.exe (Trojan.Downloader) -> No action taken.
E:\My Documents 030810\Trading\NexGen Folder\Nexgen Setup\keygen.exe (Trojan.Downloader) -> No action taken.
E:\My Documents 070409\Trading\NexGen Folder\keygen.exe (Trojan.Downloader) -> No action taken.
E:\Thumbdrive Backup\Trading\NexGen Folder\keygen.exe (Trojan.Downloader) -> No action taken.


These files are not a trojan --the key generator allows me to open a trading program that i purchased, so i have not removed it. It is in several locations for backup purposes.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:23 AM, on 3/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SmartClock\SmartClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\GSW32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\jerryc126\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SmartClock] C:\Program Files\SmartClock\SmartClock.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.kclic.net/MaxiPt/smsx.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/D ... tion&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} (SmartCode ViewerX VNC Control) - http://www.woodiescciclub.com/charts/viewerx.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://allianzlife.webex.com/client/T2 ... eatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate1c9cd86ec9ed034) (gupdate1c9cd86ec9ed034) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 11235 bytes


The computer has not frozen or shut down since you have been helping me. Thank-you, Thank-you.

Jerry
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 13th, 2010, 3:05 pm

Hi,

keygen.exe

Our forum policy Here says we will not help people who use keygenerators.
You may have got infected by using keygens or visiting crack sites.
Hence, i would like you to remove all the crack/keygen applications that are present on your system as i cannot help you further without doing so.

NOTE: If you give me advice that the software/Keygens have been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to have this thread closed.
Please decide what you are going to do & let me know.

----------------------
If you decide to continue, please to do the following...

Run CKScanner

  • Please download CKScanner by from Here
  • Important: - Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Do I have a problem?

Unread postby jerryc126 » March 13th, 2010, 4:14 pm

I have removed the files that were in question by the forum's policy.

Here is the latest file from CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 16th, 2010, 8:29 am

Hi,

Congratulations you are clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Remove tools
    Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

  • Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.
  • Go to Start
  • Click on Run
  • Type ComboFix /Uninstall

After doing that with ComboFix, do this with OTC.exe to remove the tools not removed by ComboFix.

OTC.exe

Please download OTC.exe and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC.exe attempting to contact the internet, please allow it to do so.

Let me know if the clean up went OK for OTC.exe.

You may delete any logs left on the desktop.

============================

Update your Windows XP to Service Pack 3!
It is CRITICAL that you keep your Windows updated. Otherwise you're open to dozens of security holes which WILL cause you to get reinfected.
Visit Windows Update NOW and download Service Pack 3 + ALL critical updates! (Click Start :arrow: All Programs :arrow: Windows Update to launch Windows Update)

Please remember to visit Windows Update REGULARLY. Remember: an unpatched system = a hacker heaven!

Firewall!

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo I use this one!!

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

For an article on Firewalls see the link below:
Computer Safety On line - Software Firewalls

============================

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File
You can download it from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Note: Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


============================

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Please check this article by miekiemoes about how to prevent malware. LINK

============================

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy safe surfing!
andyspeake
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Do I have a problem?

Unread postby jerryc126 » March 16th, 2010, 2:36 pm

when i typed in ComboFix/uninstall i get the following error: Windows cannot find "combofix/uninstall. please be sure you have typed it in correctly.
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 16th, 2010, 3:33 pm

Make sure there is a space between "Combofix" and "/uninstall".

Let me know how you get on.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Do I have a problem?

Unread postby jerryc126 » March 16th, 2010, 8:38 pm

Andrew, with the space after combofix and before the slash i still get the same message. Also, my defrag program in accessories/system tools does not work.

"MMC cannot open the file CV:\windows\system32\dfrg.msc. This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file."

Thanks.

Jer
jerryc126
Regular Member
 
Posts: 20
Joined: February 28th, 2010, 5:16 am

Re: Do I have a problem?

Unread postby andyspeake » March 17th, 2010, 7:01 am

Continue with OTC, that should get combofix if its still on the machine.

I'll get back to you later on the defrag issue.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 469 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware