WiredWX Hobby Weather ToolsLog in

 


virus/spyware/trojan

2 posters

descriptionvirus/spyware/trojan Emptyvirus/spyware/trojan

more_horiz
ive followed all of the instructions - hopefully i did them correctly here is the hijacktis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:23 AM, on 1/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE
C:\Program Files\3Com\Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\RMK\Local Settings\Temporary Internet Files\Content.IE5\8GOY052P\AdbeRdr930_en_US[1].exe
C:\Documents and Settings\RMK\Local Settings\Temporary Internet Files\Content.IE5\L050G7ZA\winlogon[1].scr
C:\Documents and Settings\RMK\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\setup.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adserving.cpxinteractive.com:80/rw?title=&qs=iframe3?1BAAADCBCAC4jBMAYuYFAAIAAAAAAP8AAAAFCQICAAI-rQcAQ8sIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1AAAAAAAAAHUAAAAAAAAAAAAAAMJvetClAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAu45Nzvg33QX.AU0.6rdNKyRuB8VMPC7cGjYLIgAAAAA=,,http://searchportal.information.com/?epl=00800034ulsnz0savvetvrbehgejxgbdcfkcwfjccvrzvvlgxutwww8etryobvmdvlcnulifuhihaaprclzvbaul (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SIE2007] "C:\Program Files\Winferno\Secure IE\SIEPulse.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dmovugo] rundll32.exe "C:\WINDOWS\ovesumiwu.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\DOCUME~1\RMK\LOCALS~1\Temp\E_S57.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: 3Link Engine (SAEngine) - 3Com Corporation - C:\Program Files\3Com\3Link\SAEngine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9646 bytes

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Please download Cheetah-Anti-Rogue, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
i downloaded it and extracted the file - i clicked on it to run and then an error message comes up - ive tried it several times and it doesnt work

application cannot be executed. the file is infected. please activate your antivirus software

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
here is the combofix log:

ComboFix 10-01-24.05 - RMK 01/25/2010 10:45:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.226 [GMT -8:00]
Running from: c:\documents and settings\RMK\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\RMK\Local Settings\Application Data\{E8FEDAF5-6359-4443-BD8B-367C7176CD74}
c:\documents and settings\RMK\Local Settings\Application Data\{E8FEDAF5-6359-4443-BD8B-367C7176CD74}\chrome.manifest
c:\documents and settings\RMK\Local Settings\Application Data\{E8FEDAF5-6359-4443-BD8B-367C7176CD74}\chrome\content\_cfg.js
c:\documents and settings\RMK\Local Settings\Application Data\{E8FEDAF5-6359-4443-BD8B-367C7176CD74}\chrome\content\overlay.xul
c:\documents and settings\RMK\Local Settings\Application Data\{E8FEDAF5-6359-4443-BD8B-367C7176CD74}\install.rdf
c:\program files\Adware Professional
c:\program files\Adware Professional\nutilities.dll
C:\s
c:\windows\ovesumiwu.dll
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\smss32.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-25 15:53 . 2010-01-25 15:53 0 ----a-w- c:\windows\Bvujafotocedo.bin
2010-01-25 15:53 . 2010-01-25 15:53 120 ----a-w- c:\windows\Kfesiro.dat
2010-01-25 15:30 . 2010-01-25 15:30 -------- d-----w- c:\documents and settings\RMK\Local Settings\Application Data\Threat Expert
2010-01-25 06:57 . 2010-01-25 16:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-21 21:57 . 2010-01-21 21:57 -------- d-----w- c:\program files\Easy CD & DVD Cover Creator
2010-01-19 12:49 . 2010-01-21 05:36 -------- d-----w- c:\program files\a-squared Free
2010-01-19 10:32 . 2010-01-19 10:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-14 00:13 . 2010-01-19 10:30 -------- d-----w- c:\program files\AAALOGO2009
2010-01-13 15:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 16:03 . 2008-05-21 02:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-25 15:46 . 2009-08-07 17:30 -------- d-----w- c:\program files\Java
2010-01-25 15:44 . 2010-01-25 15:44 152576 ----a-w- c:\documents and settings\RMK\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-25 15:44 . 2009-11-24 17:43 79488 ----a-w- c:\documents and settings\RMK\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-25 06:21 . 2009-03-18 01:58 117760 ----a-w- c:\documents and settings\RMK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-25 05:58 . 2010-01-19 10:53 52224 ----a-w- c:\documents and settings\RMK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 00:04 . 2009-02-11 15:50 -------- d-----w- c:\documents and settings\RMK\Application Data\Winferno
2009-12-21 19:14 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-29 00:01 . 2009-02-11 16:16 -------- d-----w- c:\documents and settings\RMK\Application Data\Apple Computer
2009-11-28 21:52 . 2009-11-28 21:51 -------- d-----w- c:\program files\iTunes
2009-11-28 21:52 . 2009-11-28 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-28 21:51 . 2009-11-28 21:51 -------- d-----w- c:\program files\iPod
2009-11-28 21:51 . 2008-04-18 06:25 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 21:48 . 2009-11-28 21:47 -------- d-----w- c:\program files\QuickTime
2009-11-28 21:39 . 2009-11-28 21:39 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-28 21:33 . 2008-08-23 15:59 -------- d-----w- c:\program files\Safari
2009-11-28 21:29 . 2009-11-28 21:29 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 16:31 . 2009-02-13 00:34 47256 ----a-w- c:\documents and settings\RMK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-01-09 151552]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-01-09 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-27 757248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
3Com Launcher.lnk - c:\program files\3Com\Launcher.exe [2008-8-24 221184]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wct940.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [1/19/2010 4:49 AM 1858144]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\vch.sys [3/4/2003 4:30 AM 18487]
R3 AllWirelessLansService;3Com Wireless LAN Support;c:\program files\3Com\WLAN Manager\AllWirelessLansService.exe [8/24/2008 9:58 AM 114688]
R3 LanSupportService;3Com LAN Support;c:\program files\Common Files\3Com\LanSupportService.exe [8/24/2008 9:58 AM 212992]
R3 WLP92B;3Com 3CRWE62092B Wireless LAN PC Card;c:\windows\system32\drivers\wlp92bf.sys [8/20/2008 4:14 PM 77696]
S3 SAEngine;3Link Engine;c:\program files\3Com\3Link\SAEngine.exe [8/24/2008 9:58 AM 172032]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://adserving.cpxinteractive.com:80/rw?title=&qs=iframe3%3F1BAAADCBCAC4jBMAYuYFAAIAAAAAAP8AAAAFCQICAAI%2DrQcAQ8sIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1AAAAAAAAAHUAAAAAAAAAAAAAAMJvetClAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAu45Nzvg33QX%2EAU0%2E6rdNKyRuB8VMPC7cGjYLIgAAAAA%3D%2C%2Chttp%3A%2F%2Fsearchportal%2Einformation%2Ecom%2F%3Fepl%3D00800034ulsnz0savvetvrbehgejxgbdcfkcwfjccvrzvvlgxutwww8etryobvmdvlcnulifuhihaaprclzvbaul
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\RMK\Application Data\Mozilla\Firefox\Profiles\fxsgsjkl.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SIE2004 - (no file)
HKLM-Run-SIE2007 - c:\program files\Winferno\Secure IE\SIEPulse.exe
HKLM-Run-Dmovugo - c:\windows\ovesumiwu.dll
AddRemove-HijackThis - c:\documents and settings\RMK\Local Settings\Temporary Internet Files\Content.IE5\L050G7ZA\HijackThis.exe
AddRemove-SecureIE2007_is1 - c:\program files\Winferno\Secure IE\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 10:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs]
@DACL=(02 0000)
@="{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs]
@DACL=(02 0000)
@="{A9571378-68A1-443d-B082-284F960C6D17}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs]
@DACL=(02 0000)
@="{A9571378-68A1-443d-B082-284F960C6D17}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib]
@DACL=(02 0000)
@="{29D67D3C-509A-4544-903F-C8C1B8236554}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib]
@DACL=(02 0000)
@="{E47CAEE0-DEEA-464A-9326-3F2801535A4D}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib]
@DACL=(02 0000)
@="{D518921A-4A03-425E-9873-B9A71756821E}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0]
@DACL=(02 0000)
@="HtmldocPlugin 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Fun Web Products\MSNMessenger]
@DACL=(02 0000)
"DLLFile"="F3REPROX.DLL"
"DLLDir"="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\"

[HKEY_LOCAL_MACHINE\software\Fun Web Products\ScreenSaver]
@DACL=(02 0000)
"ImagesDir"="c:\\Program Files\\FunWebProducts\\ScreenSaver\\Images\\"

[HKEY_LOCAL_MACHINE\software\Fun Web Products\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\FunWebProducts\Installer]
@DACL=(02 0000)
"Dir"="c:\\Program Files\\FunWebProducts\\Installr\\"
"CurInstall"="1"
"sr"="0"
"pl"="9"
"CheckForConnection"="1"
"CacheDir"="c:\\Program Files\\FunWebProducts\\Installr\\Cache\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\MyWebSearch\bar]
@DACL=(02 0000)
"UseFWB"="0"
"pid"="ZJxdm172YYUS"
"fwp"="0"
"mwsask"="US|CA|GB"
"tiec"="208976"
"Dir"="c:\\Program Files\\MyWebSearch\\bar\\"
"PluginPath"="c:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\"
"UninstallString"="\"c:\\Program Files\\MyWebSearch\\bar\\1.bin\\m3highin.exe\" mwsbar.dll,O"
"Id"="B00447DD-0651-4AE8-94A5-0B6EE79BC3AB"
"CurInstall"="1"
"SettingsDir"="c:\\Program Files\\MyWebSearch\\bar\\Settings\\"
"sr"="0"
"pl"="9"
"CacheDir"="c:\\Program Files\\MyWebSearch\\bar\\Cache\\"
"ConfigDateStamp"="2009020709"
"HTMLMenuRevision"="275"
"sscLabel"="My Web Search"
"sscURL"="http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm172YYUS&fl=0&ptb=3UcEsOhKUQZuC6WUq8Ob5w&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}"
"Flags"="8722"
"HistoryDir"="c:\\Program Files\\MyWebSearch\\bar\\History\\"
"AutocompleteURL"="http://srchsugg.funwebproducts.com/query?q="
"Maximized"="0"
"Visible"="1"

[HKEY_LOCAL_MACHINE\software\MyWebSearch\SearchAssistant]
@DACL=(02 0000)
"UseFWB"="0"
"pid"="ZJxdm172YYUS"
"fwp"="0"
"mwsask"="US|CA|GB"
"Dir"="c:\\Program Files\\MyWebSearch\\SrchAstt\\"
"esh"="1"
"lsp"=""
"Id"="DEA2B37F-481E-493B-A5CF-D399C33DAF40"
"CurInstall"="1"
"sr"="0"
"pl"="9"
"ConfigDateStamp"="2009020709"
"ABS"="http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm172YYUS&fl=0&url=http://search.mywebsearch.com/mywebsearch/AJmain.jhtml&st=kwd&ptnrS=ZJxdm172YYUS&PG=SEASUSH&SEC=ABMANY&ind=2009020709&searchfor="
"DES"="http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm172YYUS&fl=0&url=http://search.mywebsearch.com/mywebsearch/AJmain.jhtml&st=dns&ptnrS=ZJxdm172YYUS&PG=SEASUSH&SEC=DNS&ind=2009020709&searchfor="
"sscEnabled"="1"
"eintl"="0"
"fs"="0"

[HKEY_LOCAL_MACHINE\software\MyWebSearch\SkinTools]
@DACL=(02 0000)
"PlayerPath"="\"c:\\Program Files\\MyWebSearch\\bar\\1.bin\\m3SkPlay.exe\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\wct940.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1264)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\wct940.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\3Com\WLANMA~1\Activate.exe
.
**************************************************************************
.
Completion time: 2010-01-25 11:02:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 19:02

Pre-Run: 16,611,635,200 bytes free
Post-Run: 16,903,643,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 854D9A11D62264F7AB2DCA3BE9A14FF5

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


2. virus/spyware/trojan Mbamicontw5 Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


5. Post the following in your next reply:
  • MBAM log
  • SAS log
  • ESET log

And, please tell me how your computer is doing.

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
i really appreciate all of your help on this

MBAM log

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/25/2010 3:46:41 PM
mbam-log-2010-01-25 (15-46-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177815
Time elapsed: 3 hour(s), 57 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wct940.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\wct940.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Qoobox\Quarantine\C\Program Files\Adware Professional\nutilities.dll.vir (Rogue.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP506\A0110066.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP506\A0110067.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP506\A0110071.exe (Rogue.AdwarePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP506\A0110082.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP512\A0123233.exe (Rogue.AdwarePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP516\A0123538.exe (Adware.MakeTheWebBetter) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP516\A0123539.exe (Adware.MakeTheWebBetter) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP516\A0123556.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8F708650-A2BF-4D14-9640-9711D95AD666}\RP516\A0123591.sys (Malware.Trace) -> Quarantined and deleted successfully.



SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/25/2010 at 05:04 PM

Application Version : 4.33.1000

Core Rules Database Version : 4516
Trace Rules Database Version: 2328

Scan type : Complete Scan
Total Scan Time : 00:44:58

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 4916
Registry threats detected : 15
File items scanned : 18781
File threats detected : 19

Adware.Tracking Cookie
C:\Documents and Settings\RMK\Cookies\rmk@content.yieldmanager[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@ad.wsod[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@invitemedia[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@richmedia.yahoo[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@ads.pointroll[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@atdmt[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@ad.yieldmanager[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@apmebf[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@ads.bridgetrack[3].txt
C:\Documents and Settings\RMK\Cookies\rmk@advertising[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@content.yieldmanager[3].txt
C:\Documents and Settings\RMK\Cookies\rmk@mediaplex[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@ads.undertone[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@optimost[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@videos.mediaite[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@app.insightgrit[2].txt
C:\Documents and Settings\RMK\Cookies\rmk@ads.bridgetrack[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@dymo.112.2o7[1].txt
C:\Documents and Settings\RMK\Cookies\rmk@overture[1].txt

Adware.MyWebSearch/FunWebProducts
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version





ESET log

I had trouble with this one – the first time I did there were 6 threats I cleaned them but couldn’t find the log etc – so after searching I did the scan again but no threats and I found that log – sorry

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a30ccee9fcf99142ad1042922574bd84
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-26 03:51:52
# local_time=2010-01-25 07:51:52 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42674
# found=0
# cleaned=0
# scan_time=3710

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/26/2010 10:35:16 AM
mbam-log-2010-01-26 (10-35-16).txt

Scan type: Quick Scan
Objects scanned: 127826
Time elapsed: 1 hour(s), 54 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
a-squared Free 4.5
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

  • Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  • AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.


Firewall

  • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • PC Tools Firewall Plus: free and excellent firewall.


Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

  • Firefox may be downloaded from here: http://www.getfirefox.com
  • Opera is available here: http://www.opera.com/download/


See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
i had 3 adobe's and i was able to delete two of them the version 8.1.3 when i try to remove it it give me the error message error 1402 could not open key fatal error during installation

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
See this: http://kb2.adobe.com/cps/329/329137.html

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
ok i followed your intructions above - i have the most current edition of adobe - ive also downloaded all of your other software suggested website

my computer seems to run a little slow on start-up meaning connecting the internet is slow but once its up and running things seem to be fine - i havent had anymore virus alerts etc and things are running smooth in that area

i cannot thank you enough for all your help and assistance - you saved me for sure!!!!!

descriptionvirus/spyware/trojan EmptyRe: virus/spyware/trojan

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum