Google results takes me to wrong sites

June 11, 2011 at 13:07:54
Specs: Windows XP

I got rid ( I think) of the "Windows Security Alert" virus last week with the help of this site, but my computer has been acting up again.
When I went to use my computer this morning, I had the "Antivirus XP 2012" virus.
I thought I got rid of it, but now when I use "Google", all the results take me to porn sites and other odd sites.
If I run "RKill", I'm able to use google normally.
I have also run a full scan with "Malwarebytes", and have used "system restore.
As I'm writing this, I'm scanning my computer with "Kaspersky"
I have also downloaded "Hijack this", but have not run it yet.
Any help would be appreciated. Thanks.

See More: Google results takes me to wrong sites

Report •


#1
June 11, 2011 at 15:53:36

Kaspersky found nothing nothing after 1.5 hour scan!!
I ran Kaspersky tdsskiller, and it also found nothing !!
I'm ready to put my foot through this computer because I'm so damn fed up with these viruses.

Report •

#2
June 11, 2011 at 16:02:34

hemi43,

Last week we were dealing mostly with some exe files not running, and an icon in the TaskBar.

Let's tackle XP Antivirus 2012. It is not in the family of what TDSSKiller would target.

Try the following:


If the infection does not let you download files to the infected computer, or you have no Internet connection, download the file/program requested below to a clean computer and then transfer them to the infected computer. You can use a USB flash drive, or other removable media (CD/DVD, external drive).

Please download RogueKiller
(http://tigzy.geekstogo.com/Tools/RogueKiller.exe)
Save it to your Desktop.

Now, close all open programs.

For XP, simply double-click RogueKiller.exe
For Vista/Windows 7, right click the file and select: Run as Administrator

When prompted, type 1 and hit Enter.

An RKreport.txt should appear on your Desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

>>Please post the contents of the >RKreport.txt< in your reply.<<

We will take further action based on the results of this Scan.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#3
June 11, 2011 at 21:56:04

Thanks again for your help Aaflac44 !!
here is the report from Roguekiller;
FYI; I noticed "Simple save" came up in the errors. This is a back-up hard drive that is always connected to my computer to save any files in case my computer ever crashes.
Dan


RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 06/12/2011 00:50:28

Bad processes: 2
[SUSP PATH] uUACTokenSvc.exe -- c:\documents and settings\user\application data\hp simplesave application\uuactokensvc.exe -> KILLED
[SUSP PATH] HPSSBackupMonitor.exe -- c:\documents and settings\user\application data\hp simplesave application\hpssbackupmonitor.exe -> KILLED

Registry Entries: 5
[] HKLM\[...]\Windows : () -> ACCESS DENIED
[SUSP PATH] HP SimpleSave Monitor.lnk : C:\Documents and Settings\User\Application Data\HP SimpleSave Application\StartHelper.exe -> FOUND
[] \ : -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows : () -> ACCESS DENIED

HOSTS File:
127.0.0.1 localhost


Finished : << \RKreport[1].txt >>
RKreport[1].txt


Report •

Related Solutions

#4
June 12, 2011 at 07:52:36

FYI;
I'm able to search with Google, if I click on "cashed" on the Google results. For some reason by doing this the virus does not redirect me.

Report •

#5
June 12, 2011 at 09:27:26

Please download RKill:
http://download.bleepingcomputer.co...

Save it to the Desktop.
For XP, double click the file to run the file.

A Command window temporarily opens.
Once the tool completes its work, the window closes and a log is displayed.

>>Please post the contents of the RKill log in your reply.<<

Without a reboot, download Malwarebytes’ Anti-Malware (black button with green and white icon) Save to the Desktop:
http://download.cnet.com/Malwarebyt...

Double-click mbam-setup.exe and follow the prompts to install the program.
Run Malwarfebytes’ AntiMalware and update the program.
Once updated, select Perform Full Scan and click the scan button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the Remove Selected button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.


>>Also post the Malwarebytes log in your reply so we can see where we are at, and plan any additional removal strategy.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#6
June 12, 2011 at 09:51:35

I have run RKill then a full scan with Malaware no less than 5 times.
The last time it found nothing. I will post the last 3 logs from it .

This was from this morning :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6840

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/12/2011 9:21:40 AM
mbam-log-2011-06-12 (09-21-40).txt

Scan type: Quick scan
Objects scanned: 180961
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This was from late yesterday :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6837

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/11/2011 8:28:06 PM
mbam-log-2011-06-11 (20-28-06).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 351845
Time elapsed: 1 hour(s), 12 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KOQMLYTPE7 (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YDZ1QVAGOJ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KOQMLYTPE7 (Trojan.FakeAlert.SA) -> Value: KOQMLYTPE7 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YDZ1QVAGOJ (Trojan.FakeAlert.SA) -> Value: YDZ1QVAGOJ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setui70vir.exe (Trojan.FakeAlert.AD) -> Value: setui70vir.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NtWqIVLZEWZU (Trojan.FakeAlert) -> Value: NtWqIVLZEWZU -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This was from earlier yesterday :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6834

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/11/2011 10:16:25 AM
mbam-log-2011-06-11 (10-16-25).txt

Scan type: Quick scan
Objects scanned: 180873
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 8
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KOQMLYTPE7 (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YDZ1QVAGOJ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Cycbot.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KOQMLYTPE7 (Trojan.FakeAlert.SA) -> Value: KOQMLYTPE7 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YDZ1QVAGOJ (Trojan.FakeAlert.SA) -> Value: YDZ1QVAGOJ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setui70vir.exe (Trojan.FakeAlert.AD) -> Value: setui70vir.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NtWqIVLZEWZU (Trojan.FakeAlert) -> Value: NtWqIVLZEWZU -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Cycbot.Gen) -> Bad: (C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\cwq.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\cwq.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\cwq.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\User\application data\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\temp\csrss.exe (Backdoo


Report •

#7
June 12, 2011 at 09:59:42

Here's something funny !!
I googled "Malawarebytes", and when I clicked on the "Malawarebytes" URL in the Google results, it took me to the "Stopzilla" website !! Go figure !!

Report •

#8
June 12, 2011 at 14:12:56

Has RKill given you a report? If so, please post.

What is the drive letter of your 'Simple Save' back-up hard drive? Is it F:? If not...?
Has this back-up hard drive been connected to the PC for every scan you have done?

Let's go this route:

Please download SuperAntispyware Free Edition (SAS): http://www.superantispyware.com/dow...
Double-click the icon on your Desktop to run the installer.

When asked to Update the program definitions, click Yes

Next click the >Preferences< button.
Under >Start-Up Options< uncheck: Start SuperAntiSpyware when Windows starts

Click the >Scanning Control< tab.
Under >Scanner Options< make sure only the following are checked:
--Close browsers before scanning
--Scan for tracking cookies
--Terminate memory threats before quarantining
Leave the others unchecked
Click the Close button to leave the control center screen.

On the main screen of SAS, click: >Scan your computer<
On the left, check the box for the drives you are scanning. Make sure you include the back-up hard drive.
On the right, select: >Perform Complete Scan<
Click Next to start the scan, and please be patient while it scans your computer.

After the scan is complete, a summary box appears.
Click OK
Make sure everything in the white box has a check next to it, then click: Next
SAS quarantines what it found, and, if it asks if you want to reboot, click: Yes

To obtain the removal information please do the following:
-After reboot, double-click the SuperAntiSpyware icon on your desktop.
-Click Preferences > Statistics/Logs tab.
-Under Scanner Logs, double-click: SuperAntiSpyware Scan Log.
(It will open in your default text editor (preferably Notepad)).
Save the notepad file to your Desktop by clicking (in notepad) File > Save As...
Save the log on the Desktop)

Please Copy and Paste the SAS log, and provide it in your reply.


~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#9
June 12, 2011 at 17:34:19

Having dificulty posting the log because it is so large.

Report •

#10
June 12, 2011 at 17:36:58

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/12/2011 at 08:08 PM

Application Version : 4.54.1000

Core Rules Database Version : 7256
Trace Rules Database Version: 5068

Scan type : Complete Scan
Total Scan Time : 02:05:37

Memory items scanned : 528
Memory threats detected : 0
Registry items scanned : 9660
Registry threats detected : 4
File items scanned : 185977
File threats detected : 1285

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@rts.pgmediaserve[2].txt
C:\Documents and Settings\User\Cookies\user@statcounter[7].txt
C:\Documents and Settings\User\Cookies\user@tacoda.at.atwola[6].txt
C:\Documents and Settings\User\Cookies\user@www.wpdstat[1].txt
C:\Documents and Settings\User\Cookies\user@legolas-media[4].txt
C:\Documents and Settings\User\Cookies\user@harrenmedianetwork[2].txt
C:\Documents and Settings\User\Cookies\user@adserv.rotator.hadj7.adjuggler[2].txt
C:\Documents and Settings\User\Cookies\user@dealfind[2].txt
C:\Documents and Settings\User\Cookies\user@imrworldwide[5].txt
C:\Documents and Settings\User\Cookies\user@www.mediaquantics\User Data\Default\Cookies ]
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ad.yieldmanager[6].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ad.yieldmanager[7].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adbrite[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adcentriconline[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adcentriconline[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adinterax[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adinterax[4].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ads.bluelithium[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ads.networldmedia[4].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ads.networldmedia[6].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ads.pointroll[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ads.verticalscope[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adserver.adtechus[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@adtech[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@advertising[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@analytics.rogersmedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@analytics.rogersmedia[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ar.atwola[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@at.atwola[4].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@atdmt[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@atdmt[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@atdmt[4].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@bellcan.adbureau[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@bellcan.adbureau[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@bs.serving-sys[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@bs.serving-sys[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@casalemedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@casalemedia[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@citi.bridgetrack[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@content.yieldmanager[10].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@content.yieldmanager[11].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@content.yieldmanager[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@content.yieldmanager[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@content.yieldmanager[7].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@doubleclick[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@doubleclick[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@e-2dj6wjkosmazchp.stats.esomniture[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@edge.jeetyetmedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@edge.jeetyetmedia[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@ehg-reed.hitbox[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@hitbox[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@imrworldwide[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@invitemedia[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@invitemedia[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@media6degrees[6].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@mediaplex[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@mediaplex[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@mediaplex[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@networldmedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@networldmedia[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@picclick[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@pointroll[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@pro-market[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@r1-ads.ace.advertising[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@realmedia[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@richmedia.yahoo[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@richmedia.yahoo[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@rogersmedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@rogersmedia[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@serving-sys[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@serving-sys[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@serving-sys[4].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@shared.rogersmedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@statcounter[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@statcounter[4].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@statse.webtrendslive[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@tacoda.at.atwola[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@tacoda[2].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@tribalfusion[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@vitamine.networldmedia[1].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@vitamine.networldmedia[3].txt
F:\Backup Files\1\1\V0\C\Documents and Settings\User\Cookies\user@yieldmanager[1].txt

Adware.AdRotator
HKU\.DEFAULT\Software\Sky-Banners
HKU\S-1-5-18\Software\Sky-Banners
HKU\.DEFAULT\Software\Street-Ads
HKU\S-1-5-18\Software\Street-Ads

Rogue.AntiMalwareDoctor
C:\Documents and Settings\User\Application Data\9D09E4F2F180B6B3A147D588554CD0BC

Trojan.Agent/Gen-IExplorer[Fake]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX2\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\EXPLORER.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX2\PROCS\EXPLORER.EXE


Report •

#11
June 12, 2011 at 17:38:53

I had to delete the info in the middle of the log. It was all "cookies"...
I posted the beginning and end of the log. I hope this will be sufficient.

Report •

#12
June 12, 2011 at 17:43:49

Still no good !!
I googled "yamaha", and clicked on the first result.
It took me to a porn site !! Damn

Report •

#13
June 12, 2011 at 17:47:30

I ran "rkill" and here's the log;
It turned off my "simple save", but my "f" drive was still visible in explorer.


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as User on 06/12/2011 at 20:44:31.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\User\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
C:\Documents and Settings\User\Application Data\HP SimpleSave Application\HPSSBackupMonitor.exe
C:\Documents and Settings\User\Desktop\virus stuff\rkill.com


Rkill completed on 06/12/2011 at 20:44:32.


Report •

#14
June 12, 2011 at 19:40:10

Make sure the F:\ drive is connected.

Next, please download ComboFix:
http://download.bleepingcomputer.co...

Save to the Desktop, however, >rename< the file as you download it
(Do not download the file without renaming it! Use right click "Save Target/Link As") Rename the downloading file to >thecat.scr<
Double-click the renamed thecat.scr to run CF

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

On XP, install the >Recovery Console< if asked to do so.

When the scan completes, a text window with your log opens.
The CF log is also found at C:\ComboFix.txt

Please post the ComboFix log in your reply. If the forum limits the size of the information, you may need to post the info in two parts by doing one post after another.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#15
June 12, 2011 at 20:04:31

I already have combo fix, but could not run it. It wants me to turn off my AVG antivirus, to which I tried, but combo fix still wouldn't run. I'll try and delete AVG

Report •

#16
June 12, 2011 at 20:21:55

I could not turn off AVG !!
I could not delete AVG !!
When downloading Combofix, there's no "Save Target/Link As" option.
I can only "run"-"save"or"cancel". If I click "save", I do get a "save as " window popup, but I can't rename the file.
I'm lost with this and getting very discouraged.

Report •

#17
June 12, 2011 at 21:24:14

Your frustration is understandable, but I have no doubt you will get through this. Hang in there!

My bad here. When you download CF, click the Save button
In the Save as prompt, under 'File name', use: thecat.scr
Then, press the Save button.

On AVG 2011 (If you have a different version, let us know.)
Open AVG Control Center by right-clicking on the AVG icon on the task bar.
Click: Open AVG User Interface.
On the Menu Bar, click on Tools, then click: Advanced Settings

In the screen that opens, scroll down to: Temporarily disable AVG protection
Click on it to highlight, and in the right hand pane, check the box for: Temporarily disable AVG protection
Click: Apply

In the next screen, select 60 minutes from the drop down menu
Click: Disable real time protection
Click OK.

To re-enable (later on), just check 'Enable' on the main GUI interface.
You may also need to click Fix (enable becomes Fix if all components do not start).

FAQ 3857: Disabling AVG 2011 temporarily:
http://www.avg.com/ww-en/faq?num=3857
AVG FAQ 3902: Disabling Specific AVG components:
http://www.avg.com/ww-en/faq?num=3902

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#18
June 12, 2011 at 22:25:55

Edited post #14

Disable AVG for 60 minutes. ComboFix takes a while.

Downloading files from RapidShare is no longer free. You can join for free, but, that doesn't do it for us.

Will try to find another place to share files, if not, do one post after another, if the forum limits the size of the information.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#19
June 13, 2011 at 05:43:57

If I save "Combofix.exe" as " thecat.scr", when I try to open it, it opens in Notebook.
An .scr file is an Autocad script file. I have Autocad installed on my computer, so the renamed file installed on my desktop has an icon with a large letter "A" on it.
When I click on it, it just opens in Notebook and reads as computer language.

I actually had AVG 9.0, but corrupted it last night trying to remove it. I downloaded version 2011 on top of it and got it to install.It seems to run fine
I disabled it for 60 minutes and tried to run Combofix.exe, but it still wouldn't run because I had AVG installed.


Report •

#20
June 13, 2011 at 09:05:34

Can you run CF without renaming it, after temporarily disabling AVG?

AVG does not do much in the way of cooperating when scans are run. You might have to end up uninstalling it and using something else. Is AVG 2011 a free program? avast! (free) is good. That is what I run.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#21
June 13, 2011 at 09:21:11

CF will run without renaming, but stops when it encounters AVG even after disabling it. I have tried to remove AVG, but I get an error code that one of the files could not be removed and the operation aborts.
AVG is a free program, and I've used it for years.

Report •

#22
June 13, 2011 at 10:20:24

I got Combofix to run, but it would take about 25 posts to put it up here because it's so huge. Is there another way for you to view it?

Report •

#23
June 13, 2011 at 10:26:23

here is the beginning of the log;

ComboFix 11-06-13.01 - User 06/13/2011 12:47:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3263.2594 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\virus stuff\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\User\Application Data\19ridof.log
c:\documents and settings\User\Application Data\Adobe\plugs
c:\documents and settings\User\Application Data\Adobe\shed
c:\documents and settings\User\Local Settings\Application Data\{FC9B451D-088E-49F8-926A-195D0E4BF876}
c:\documents and settings\User\Local Settings\Application Data\{FC9B451D-088E-49F8-926A-195D0E4BF876}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{FC9B451D-088E-49F8-926A-195D0E4BF876}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{FC9B451D-088E-49F8-926A-195D0E4BF876}\install.rdf
c:\documents and settings\User\WINDOWS
C:\Install.exe
c:\program files\Shared
c:\webupdater\WebUpdater.exe
F:\autorun.inf
.
---- Previous Run -------
.
c:\documents and settings\User\Local Settings\Application Data\hkhgkr
c:\documents and settings\User\Local Settings\Application Data\hkhgkr\bbadsftav.exe
c:\windows\system32\tmp67.tmp
c:\windows\system32\tmp68.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MOUSEDRIVER
.
.
((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))
.
.


Report •

#24
June 13, 2011 at 10:27:25

here is the end;

*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-10-14 17:56 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 68856]
"Steam"="c:\program files\Steam\Steam.exe" [2010-12-27 1242448]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16858112]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-07-20 80384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-10-24 597792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\documents and settings\User\Application Data\HP SimpleSave Application\StartHelper.exe [2011-6-2 481176]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\avg\avg10\avgchsvx.exe /sync\0c:\progra~1\avg\avg10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-05-14 00:58 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Soldier of Fortune II - Double Helix\\SoF2MP.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\Start Menu\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\homefront\\Binaries\\HOMEFRONT.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 12:56 AM 14336]
R2 BackupService;BackupService;c:\documents and settings\User\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [6/2/2011 9:09 PM 83512]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 3:18 AM 360224]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [12/27/2010 11:43 AM 36224]
S2 gupdate1c98a52226b3a36;Google Update Service (gupdate1c98a52226b3a36);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2009 9:02 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2009 9:02 PM 133104]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [12/27/2010 11:43 AM 134912]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ArcRec
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 01:02]
.
2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/?p=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.2.1
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\sffscc1p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - PageRage Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - %profile%\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
pref(dom.disable_open_during_load, true);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-avgrsstarter - avgrsstx.dll
Notify-TPSvc - TPSvc.dll
MSConfigStartUp-LanguageShortcut - c:\program files\CyberLink\PowerDVD\Language\Language.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-13 12:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1682526488-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,7b,83,5e,b2,bb,dd,c4,ce,49,9c,e7,0d,6f,20,8b,b2,52,28,c1,a5,b7,a6,
e6,a1,dd,46,95,76,01,9c,d3,b8,a4,0c,af,4a,1a,2b,15,9b,d1,03,60,0c,fa,e3,11,\
"??"=hex:9a,db,c0,47,80,1e,59,9b,6b,e5,a3,14,2e,4a,a6,b3
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1084)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\documents and settings\User\Application Data\HP SimpleSave Application\HPSSBackupMonitor.exe
.
**************************************************************************
.
Completion time: 2011-06-13 12:58:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-13 16:58
.
Pre-Run: 331,965,575,168 bytes free
Post-Run: 333,183,803,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7529286C170C6B4F7596F2CE8AE44214


Report •

#25
June 13, 2011 at 11:09:28

hemi43,

Please check your personal messages.

Edit: Disregard the avobe.

Try uploading to Windows Live SkyDrive:
http://explore.live.com/windows-liv...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#26
June 13, 2011 at 11:35:26

^^^See edit above.^^^^

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#27
June 13, 2011 at 11:49:15

I've uploaded it to Skydrive, but have no idea as to how you will access it !!

Report •

#28
June 13, 2011 at 11:54:16

OK I think I got it !!

try this;

http://cid-d88d354e762b1ee3.skydriv...


Report •

#29
June 13, 2011 at 15:05:18

Yes!! Excellent. Now we know what to do with those huge logs.

Let me have some time to take a look at all that info.

Saw where CF deleted malware files, and that is good.

Google "Yamaha" once again. What happens?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#30
June 13, 2011 at 17:31:32

Google seems to be working properly now!! I must say that once in a while before it would take me to the right site.

Report •

#31
June 13, 2011 at 19:09:56

Glad the computer is running better!! ;-)

The CF log is showing a couple of malicious files that we need to get rid of.

Be sure to continue temporarily disabling your protective software (AVG).

Now, open Notepad (Start > Run, in the Open field type: notepad)
Click: OK

Copy/paste all the following text below to Notepad:

KillAll::
File::
c:\documents and settings\User\Application Data\yq5ys18ww.bat
c:\documents and settings\User\Application Data\vn1voy5tt.bat

Save as CFScript.txt
Change the Save as type to: All Files
Save it to the Desktop

(Both the ComboFix icon and the CFScript.txt are now on the Desktop.)

http://img.photobucket.com/albums/v...

Referring to the screenshot in the link above, left click and drag the CFScript.txt file over to the ComboFix icon. Then, 'drop' it over CF.

This triggers ComboFix to run another scan where it carries out the commands of CFScript.

CF may reboot when it finishes. This is normal.

Do not mouse-click ComboFix while it is running, as iIt may cause a stall!

When finished, a log is produced: ComboFix.txt

Please upload the contents of the new ComboFix.txt to Windows Live SkyDrive, and provide its web address in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#32
June 13, 2011 at 20:56:49

OK ! Done

Since my last post, I had reinstalled AVG.
I tried to disable it for 15minutes, but Combofix would still see it.
I have now deleted AVG, and will wait for your approval before reinstalling again.

http://cid-d88d354e762b1ee3.office....


Report •

#33
June 13, 2011 at 21:35:13

Good job, hemi43!!!

You can reinstall the AntiVirus program.

If your computer is operating correctly, uninstall ComboFix as follows:

Go to Start > Run, and in the 'Open' field type (or copy/paste): combofix /uninstall
Note there is a space between combofix and /uninstall.
Click: OK

A security warning appears asking if you are sure you want to run ComboFix.
Click on the Run button to start the program.
ComboFix will uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by a dialog box stating that ComboFix has been uninstalled.

You can now delete the ComboFix program icon from your Desktop, if still there.


Once you have used the computer and rebooted a few times to make sure everything is in working order, it is time to flush your System Restore Points, and start fresh. (Once you do this, you will not be able to go back to a point before today.)

To flush the XP System Restore Points.

Go to Start > Run and type: msconfig
Press: Enter.

When msconfig opens, click the 'Launch System Restore' button.
On the next page, click the 'System Restore Settings' link on the left.

In the next prompt, check the box labeled: 'Turn Off System Restore'

Reboot.

Go back into msconfig and Turn System Restore Back On.
A new Restore Point is created.


Good luck, hemi43!!!

If you have any other problems, do not hesitate to post!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#34
June 14, 2011 at 13:48:05

I can't thank-you enough aaflac44 !!
I reinstalled AVG and it found a fault called "C: windows/system32/tapi3y.dll"
It said the file was inaccessible, but when I did a full scan it didn't show up.
I have no idea where it came from, because we hardly used this computer.
Oh well, other than that, things seem to be running fine.
It's nice to know there's people like you out there helping out faceless people like myself. Thanks-again!!
Dan

Report •

#35
June 14, 2011 at 14:58:47

Glad to help, hemi43.

On C:\windows/system32/tapi3y.dll, can you open Explorer (right click Start > Open Windows Explorer) and see if that file exists in C:\windows/system32/?

I am on a W7 Netbook right now, and it does have files by the name of tapi.dll, tapi3.dll and another by the name of tapi32.dll...wondering if XP has tapi3y.dll...hmmmm...

If you right click and look at the Properties of the file you have, it will give you some info.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#36
June 14, 2011 at 18:42:32

tapi3y.dll is not in explorer !!
tapi.dll is there, as well as tapi3.dll and tapi32.dll


Report •

#37
June 14, 2011 at 19:09:50

Are you getting an error message for that file?

Is AVG still alerting you to it? If so, what, exactly, does AVG say?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#38
June 15, 2011 at 10:37:15

No, I'm not getting any more error messages.
I'm almost afraid to surf the net now for fear of getting a virus.
I had a popup telling me to update "Java", which may be legit, but I just hit ctrl-alt-delete, and got rid of it.If it does infact need updating, I'll go right to Java and get it myself.
Hopefully my kids don't click on stuff as they pop up !!
BTW; as of Friday, I'm also now retired !!

Report •

#39
June 15, 2011 at 14:15:53

Hey!! Welcome to the 'club': no boss, no money, on medicare, on social security ;-)


If you have older and vulnerable Java version(s) installed, you need to remove them and update to the latest version: Version 6 Update 26. This is important.
http://java.com/en/download/manual.jsp

There are also instructions on how to remove older versions:
http://java.com/en/download/faq/rem...

Make sure your AntiVirus is current, and do scans with Malwarebytes as often as you think it is necessary. (Every 15 minutes, if you have kids at home.)


As mentioned before, if you have any more malware problems, do not hesitate to post back.

Take care, and enjoy your retirement!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#40
June 15, 2011 at 15:37:03

I will check and update Java !!
Thanks again for your help.

Report •


Ask Question