h9phcwpt41.exe file in C:\Documents and Settings

Hello !

I have this problem for a few days now.
I detected the file named "h9phcwpt41.exe" in C:\Documents and Settings. I can't delete it.
I've noticed it because previously I had installed Avira Antivirus Free Edition and it was disabled. I couldn't enable it anymore.
So I scanned the computer.
I uninstalled Avira, I tried one by one a few more antivirus programs, neighter of them worked.

Thanks !

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

Hello and thank you for answering.

Here I post the logs:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2012 at 04:06 PM

Application Version : 5.0.1146

Core Rules Database Version : 8328
Trace Rules Database Version: 6140

Scan type : Complete Scan
Total Scan Time : 00:47:18

Operating System Information
Windows XP Professional 32-bit, Service Pack 2 (Build 5.01.2600)
Administrator

Memory items scanned : 412
Memory threats detected : 0
Registry items scanned : 32664
Registry threats detected : 0
File items scanned : 68780
File threats detected : 1

Trojan.Agent/Gen-Kryptik
C:\DOCUMENTS AND SETTINGS\TAR2\H9PHCWPT41.EXE

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.16.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Tar2 :: CONTABILITATE1 [administrator]

Protection: Disabled

16/03/2012 08:09:26
mbam-log-2012-03-16 (08-09-26).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 257349
Time elapsed: 25 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Documents and Settings\Tar2\h9phcwpt41.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0115909.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0116091.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0116095.exe (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1045\A0118423.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Run by Tar2 at 9:57:03 on 2012-03-16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.185 [GMT 2:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ro/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\tar2\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [ogkyuu6grr] c:\documents and settings\tar2\ogkyuu6grr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\tar2\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1310723388796
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B59CDD99-0043-483D-9841-C6E3FB15ACFC} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, IbduyrIjporc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tar2\application data\mozilla\firefox\profiles\v8hmye8v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\documents and settings\tar2\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-12 136360]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2012-3-12 11608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 0160541239178217mcinstcleanup;McAfee Application Installer Cleanup (0160541239178217);c:\docume~1\tar2\locals~1\temp\016054~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\tar2\locals~1\temp\016054~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2012-3-12 269480]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-12 66616]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-16 652360]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-16 20464]
.
=============== Created Last 30 ================
.
2012-03-16 06:07:39 -------- d-----w- c:\documents and settings\tar2\application data\Malwarebytes
2012-03-16 06:07:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-16 06:07:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-16 06:07:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-15 09:46:22 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-03-15 09:46:19 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-15 09:46:19 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-14 13:43:49 -------- d-----w- c:\documents and settings\tar2\local settings\application data\Yahoo
2012-03-14 06:26:39 -------- d-----w- c:\program files\VideoLAN
2012-03-14 06:21:06 -------- d-----w- c:\program files\Winamp Detect
2012-03-13 10:11:45 -------- d-----w- c:\documents and settings\tar2\application data\SUPERAntiSpyware.com
2012-03-13 10:10:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-12 06:02:31 -------- d-----w- c:\documents and settings\tar2\application data\Avira
2012-03-12 06:00:40 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-12 06:00:39 -------- d-----w- c:\program files\Avira
2012-03-12 06:00:39 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-03-08 05:54:29 -------- d-----w- c:\documents and settings\all users\application data\CPA_VA
2012-03-07 13:25:26 1060864 ----a-w- c:\windows\system32\mfc71.dll
2012-03-07 13:25:25 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-07 09:41:53 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-07 09:28:33 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-03-06 12:18:26 19960 ----a-w- c:\documents and settings\all users\application data\1331036304.bdinstall.bin
2012-03-06 12:17:44 19962 ----a-w- c:\documents and settings\all users\application data\1331036250.bdinstall.bin
2012-03-06 12:13:53 -------- d-----w- c:\program files\common files\Bitdefender
2012-03-06 12:05:55 -------- d-----w- c:\documents and settings\tar2\application data\QuickScan
2012-03-06 09:51:00 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-03-06 09:49:56 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-03-06 09:46:30 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-03-05 05:47:14 43352 ----a-w- c:\windows\system32\drivers\c7c5c34a22269974.sys
2012-02-29 10:23:04 -------- d-----w- c:\documents and settings\tar2\application data\Okoh
2012-02-29 10:23:04 -------- d-----w- c:\documents and settings\tar2\application data\Cihabo
.
==================== Find3M ====================
.
2012-02-21 05:56:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 9:57:52,67 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 04/04/2007 09:30:15
System Uptime: 16/03/2012 08:40:47 (1 hours ago)
.
Motherboard: Dell Inc. | | 0RJ290
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Microprocessor | 3391/800mhz
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Microprocessor | 3391/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 52,632 GiB free.
D: is CDROM ()
Z: is NetworkDisk (NTFS) - 74 GiB total, 42,063 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1005: 19/01/2012 11:48:41 - System Checkpoint
RP1006: 20/01/2012 11:53:34 - System Checkpoint
RP1007: 23/01/2012 11:06:20 - System Checkpoint
RP1008: 25/01/2012 09:52:29 - System Checkpoint
RP1009: 30/01/2012 09:02:58 - System Checkpoint
RP1010: 31/01/2012 09:30:10 - System Checkpoint
RP1011: 01/02/2012 12:21:15 - System Checkpoint
RP1012: 02/02/2012 14:09:29 - System Checkpoint
RP1013: 06/02/2012 11:40:47 - System Checkpoint
RP1014: 09/02/2012 14:29:09 - System Checkpoint
RP1015: 14/02/2012 13:59:59 - System Checkpoint
RP1016: 15/02/2012 14:09:46 - System Checkpoint
RP1017: 20/02/2012 14:50:03 - System Checkpoint
RP1018: 22/02/2012 09:03:24 - System Checkpoint
RP1019: 23/02/2012 11:09:17 - System Checkpoint
RP1020: 24/02/2012 11:59:47 - System Checkpoint
RP1021: 27/02/2012 10:49:33 - System Checkpoint
RP1022: 28/02/2012 12:12:41 - System Checkpoint
RP1023: 01/03/2012 09:05:52 - System Checkpoint
RP1024: 05/03/2012 11:06:52 - System Checkpoint
RP1025: 06/03/2012 11:49:19 - Installed AVG 2012
RP1026: 06/03/2012 11:50:51 - Installed AVG 2012
RP1027: 06/03/2012 11:50:57 - Removed AVG 2012
RP1028: 06/03/2012 11:57:57 - Installed AVG 2012
RP1029: 06/03/2012 11:59:23 - Installed AVG 2012
RP1030: 06/03/2012 11:59:29 - Removed AVG 2012
RP1031: 06/03/2012 13:35:55 - Installed AVG 2012
RP1032: 06/03/2012 13:37:31 - Installed AVG 2012
RP1033: 06/03/2012 13:37:37 - Removed AVG 2012
RP1034: 07/03/2012 11:09:10 - Installed AVG 2012
RP1035: 07/03/2012 11:10:43 - Installed AVG 2012
RP1036: 07/03/2012 11:10:49 - Removed AVG 2012
RP1037: 07/03/2012 11:18:21 - Installed AVG 2012
RP1038: 07/03/2012 11:19:55 - Installed AVG 2012
RP1039: 07/03/2012 11:20:05 - Removed AVG 2012
RP1040: 07/03/2012 11:28:33 - avast! Free Antivirus Instalare
RP1041: 07/03/2012 14:55:36 - avast! Free Antivirus Instalare
RP1042: 08/03/2012 08:06:03 - Removed COMODO Internet Security
RP1043: 09/03/2012 12:17:35 - System Checkpoint
RP1044: 12/03/2012 12:03:44 - System Checkpoint
RP1045: 13/03/2012 13:57:55 - OTL Restore Point - 13/03/2012 13:57:50
.
==== Installed Programs ======================
.
2007 Microsoft Office system
7-Zip 9.07 beta
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0 - Romanian
Aplicatii SOFT 92 SRL
Avira AntiVir Personal - Free Antivirus
Bilant 1207
BJC-1000
Broadcom Advanced Control Suite
Declaratii fiscale 2007
Declaratii fiscale 2008
Declaratii fiscale 2009
Dell Support 3.2.1
GIMP 2.6.11
Google Chrome
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB970653-v3)
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Legis 4.1
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Language Pack 2007 Service Pack 1 (SP1)
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 11.0 (x86 en-US)
Nero 6 Ultra Edition
Notepad++
OMCI
Opera 11.50
OPFV 2009
OPFV 2010
OPFV 2011
PowerDVD 5.7
ReviSal
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic Update Manager
SUPERAntiSpyware
Update for Windows XP (KB912945)
Update for Windows XP (KB973815)
VLC media player 2.0.0
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Widgets
.
==== Event Viewer Messages From Past Week ========
.
16/03/2012 08:37:49, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
16/03/2012 08:08:53, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: A device attached to the system is not functioning.
16/03/2012 08:08:53, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: A device attached to the system is not functioning.
16/03/2012 08:07:40, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: A device attached to the system is not functioning.
13/03/2012 12:38:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
13/03/2012 12:11:45, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: A device attached to the system is not functioning.
13/03/2012 12:10:29, error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: A device attached to the system is not functioning.
12/03/2012 08:09:41, error: Service Control Manager [7000] - The avipbb service failed to start due to the following error: A device attached to the system is not functioning.
12/03/2012 08:03:51, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
12/03/2012 08:02:13, error: Service Control Manager [7000] - The avgntflt service failed to start due to the following error: A device attached to the system is not functioning.
12/03/2012 08:01:07, error: Service Control Manager [7000] - The avgio service failed to start due to the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***************************************************
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="herehttp://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications.html"]here[/URL[/url]] for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Combofix.txt content:

ComboFix 12-03-18.02 - Tar2 20/03/2012 7:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.280 [GMT 2:00]
Running from: c:\documents and settings\Tar2\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1331036250.bdinstall.bin
c:\documents and settings\All Users\Application Data\1331036304.bdinstall.bin
c:\documents and settings\Tar2\ogkyuu6grr.exe
c:\windows\system32\drivers\c7c5c34a22269974.sys
c:\windows\system32\SET43.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET58.tmp
c:\windows\system32\SET59.tmp
c:\windows\system32\SET5A.tmp
c:\windows\system32\SET5D.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_c7c5c34a22269974
-------\Service_c7c5c34a22269974
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-19 08:17 . 2012-03-19 08:17 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-19 08:17 . 2012-03-19 08:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-16 06:07 . 2012-03-16 06:07 -------- d-----w- c:\documents and settings\Tar2\Application Data\Malwarebytes
2012-03-16 06:07 . 2012-03-16 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-16 06:07 . 2012-03-16 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-16 06:07 . 2011-12-10 13:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-15 09:46 . 2012-03-13 04:39 97208 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-03-15 09:46 . 2012-03-13 04:39 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 09:46 . 2012-03-13 04:39 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-14 13:43 . 2012-03-14 13:43 -------- d-----w- c:\documents and settings\Tar2\Local Settings\Application Data\Yahoo
2012-03-14 06:27 . 2012-03-14 06:27 -------- d-----w- c:\documents and settings\Tar2\Application Data\vlc
2012-03-14 06:26 . 2012-03-14 06:26 -------- d-----w- c:\program files\VideoLAN
2012-03-14 06:21 . 2012-03-14 06:21 -------- d-----w- c:\program files\Winamp Detect
2012-03-14 06:20 . 2012-03-15 09:46 -------- d-----w- c:\documents and settings\Tar2\Application Data\Winamp
2012-03-14 06:20 . 2012-03-14 06:21 -------- d-----w- c:\program files\Winamp
2012-03-13 10:11 . 2012-03-13 10:11 -------- d-----w- c:\documents and settings\Tar2\Application Data\SUPERAntiSpyware.com
2012-03-13 10:10 . 2012-03-16 06:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-12 06:02 . 2012-03-12 06:02 -------- d-----w- c:\documents and settings\Tar2\Application Data\Avira
2012-03-12 06:00 . 2012-03-12 06:08 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-12 06:00 . 2012-03-12 06:08 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-12 06:00 . 2009-05-11 09:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2012-03-12 06:00 . 2009-05-11 09:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2012-03-12 06:00 . 2012-03-12 06:00 -------- d-----w- c:\program files\Avira
2012-03-12 06:00 . 2012-03-12 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-03-08 05:54 . 2012-03-08 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\CPA_VA
2012-03-07 13:25 . 2012-03-07 13:25 1060864 ----a-w- c:\windows\system32\mfc71.dll
2012-03-07 13:25 . 2012-03-07 13:25 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-07 09:41 . 2012-03-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-07 09:28 . 2012-03-07 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-06 12:13 . 2012-03-06 12:13 -------- d-----w- c:\program files\Common Files\Bitdefender
2012-03-06 12:05 . 2012-03-07 07:36 -------- d-----w- c:\documents and settings\Tar2\Application Data\QuickScan
2012-03-06 09:51 . 2012-03-06 09:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-03-06 09:49 . 2012-03-07 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-06 09:46 . 2012-03-07 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-02-29 10:23 . 2012-03-06 12:27 -------- d-----w- c:\documents and settings\Tar2\Application Data\Okoh
2012-02-29 10:23 . 2012-03-06 10:06 -------- d-----w- c:\documents and settings\Tar2\Application Data\Cihabo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 08:17 . 2009-04-03 05:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-21 05:56 . 2011-05-19 04:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-13 04:39 . 2012-03-15 09:46 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-21 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-03-12 281768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-12-09 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Tar2\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-19 4742184]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, IbduyrIjporc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23529:UDP"= 23529:UDP:UDP 23529
"20164:TCP"= 20164:TCP:TCP 20164
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 18:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 23:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 01:38 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/03/2012 08:00 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/03/2012 08:07 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16/03/2012 08:07 20464]
S2 0160541239178217mcinstcleanup;McAfee Application Installer Cleanup (0160541239178217);c:\docume~1\Tar2\LOCALS~1\Temp\016054~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Tar2\LOCALS~1\Temp\016054~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Tar2\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Tar2\LOCALS~1\Temp\CFcatchme.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - SSMDRV
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1691087186-1609294726-3216254438-1005Core.job
- c:\documents and settings\Tar2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-31 09:31]
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1691087186-1609294726-3216254438-1005UA.job
- c:\documents and settings\Tar2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-31 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ro/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Tar2\Application Data\Mozilla\Firefox\Profiles\v8hmye8v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ogkyuu6grr - c:\documents and settings\Tar2\ogkyuu6grr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-20 08:07
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(460)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2012-03-20 08:12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-20 06:12
ComboFix2.txt 2009-04-08 08:27
.
Pre-Run: 56.647.983.104 bytes free
Post-Run: 56.530.759.680 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 34A7C1D35EA41BA8852BA4B2486D3902

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AA49E000
Module End: AA4B6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F89BB000
Module End: F89BD000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F8B36C8C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: F8B36C46
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSection
Address: F8B36C96
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: F8B36C3C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F8B36C4B
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: F8B36C55
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDuplicateObject
Address: F8B36C87
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadKey
Address: F8B36C5A
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: F8B36C28
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: F8B36C2D
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwReplaceKey
Address: F8B36C64
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: F8B36C5F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: F8B36C9B
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F8B36C50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: F8B36C37
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Tar2\Application Data\Microsoft\Templates\Buletin informativ de sarbatori.dot
Status: Hidden

Object: C:\Documents and Settings\Tar2\Application Data\Microsoft\Templates\Carte de vizita.dot
Status: Hidden

Object: C:\Documents and Settings\Tar2\Application Data\Microsoft\Templates\Felicitare de Ziua îndragosti?ilor.dot
Status: Hidden

Object: C:\Documents and Settings\Tar2\Application Data\Microsoft\Templates\Foaie volanta eveniment de iarna.dot
Status: Hidden

Object: C:\Documents and Settings\Tar2\Application Data\Microsoft\Templates\Scrisoare de prezentare catre un client nou.dot
Status: Hidden

Object: C:\Documents and Settings\Tar2\Application Data\Microsoft\Templates\Semne de carte pentru biblioteca.dot
Status: Hidden

Object: C:\Documents and Settings\Tar2\My Documents\FIRME\TAR DECIROM SA\AGA\Informatii despre plata MO .doc
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Please give me an update on how your computer is running.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hello!
Thank you so much for your help.
I was out of town for a few days.
Here is the ESET log content:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=8cefc58c3f399e4d94d3668fd4bc8a61
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-26 05:48:54
# local_time=2012-03-26 08:48:54 (+0200, E. Europe Daylight Time)
# country="Romania"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1797 16775141 100 93 933 69278817 0 0
# compatibility_mode=8192 67108863 100 0 228 228 0 0
# scanned=64777
# found=0
# cleaned=0
# scan_time=2305

Good. If there are no other issues, we can do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

*************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
****************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
******************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Thank you very much !

I still have this message :
https://i.servimg.com/u/f49/17/39/07/46/untitl12.jpg

I still have this message :

You don't need that process. Look here for more information and how to get rid of it.

I'll do that.
Thank you

oceanbluetime wrote:

I'll do that.
Thank you

You're welcome.