Trojan reported removed by anti-spyware, yet

July 11, 2009 at 17:00:30
Specs: Windows XP, Athlon 64 X2 Dual/1 Gig
I have a virus or trojan that causes pop-up ads and system freezes, etc. Ad-Aware, PC Tools Spyware Doctor, and Panda Antivirus Pro have each claimed to find and remove Trojan.TDSS, but its always there when I scan again. Sometimes I have to try to start up more than once before windows comes up. At least once, it looks like the Panda Antivirus was turned off by the virus. I tried to scan my computer as this site suggests before posting this message, but the scan apparently would not run. A small window flashed too quickly for me to read after I clicked the Run button to start the scan.
Any help would be greatly appreciated.

See More: Trojan reported removed by anti-spyware, yet

Report •

July 11, 2009 at 17:09:08
It is also streaming audio to my computer from somewhere, which is not only annoying but also slows down my connection tremendously.

Report •

July 11, 2009 at 17:10:38

1) Run full Scan with SuperAntispyware : . Fix what it detects and post summary scan log.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 11, 2009 at 17:27:47
I will do as you suggest. Since I posted, I found an error log on my desktop from the attempted java run time scan. It is as follows:
# An unexpected error has been detected by Java Runtime Environment:
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x038c6c71, pid=4172, tid=4400
# Java VM: Java HotSpot(TM) Client VM (10.0-b23 mixed mode, sharing windows-x86)
# Problematic frame:
# C [WMINative.dll+0x26c71]
# If you would like to submit a bug report, please visit:
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.

--------------- T H R E A D ---------------

Current thread (0x03398c00): JavaThread "Thread-10" [_thread_in_native, id=4400, stack(0x05500000,0x05550000)]

siginfo: ExceptionCode=0xc0000005, reading address 0x00000000

EAX=0x0554f988, EBX=0x26e7ce20, ECX=0x00105fb4, EDX=0x00000000
ESP=0x0554f8bc, EBP=0x0554f998, ESI=0x26e7ce20, EDI=0x03398c00
EIP=0x038c6c71, EFLAGS=0x00010246

Top of Stack: (sp=0x0554f8bc)
0x0554f8bc: 00105fb4 00000000 0554f988 00000000
0x0554f8cc: 00000000 00000000 00000000 03378190
0x0554f8dc: 0000002e 00000100 00000000 6d9075a3
0x0554f8ec: 049fa05c 03378160 6d9856b9 05452500
0x0554f8fc: 00000001 0554f994 03398c00 00000000
0x0554f90c: 0000000f 03308c10 049fa05c 65646f4d
0x0554f91c: 6d90006c 049fa05c 00000004 00000005
0x0554f92c: 0000000f 00105fb4 80041003 049fa434

Instructions: (pc=0x038c6c71)
0x038c6c61: 00 6a 00 8d 45 f0 50 6a 00 8b 4d 98 51 8b 55 cc
0x038c6c71: 8b 02 8b 4d cc 51 8b 50 10 ff d2 89 45 9c 83 7d

Stack: [0x05500000,0x05550000], sp=0x0554f8bc, free space=318k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [WMINative.dll+0x26c71]
v ~BufferBlob::Interpreter
v ~BufferBlob::Interpreter
v ~BufferBlob::StubRoutines (1)

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
v ~BufferBlob::Interpreter
v ~BufferBlob::Interpreter
v ~BufferBlob::StubRoutines (1)

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x03334400 JavaThread "TimerQueue" daemon [_thread_blocked, id=4132, stack(0x05550000,0x055a0000)]
=>0x03398c00 JavaThread "Thread-10" [_thread_in_native, id=4400, stack(0x05500000,0x05550000)]
0x039ef400 JavaThread "Image Fetcher 0" daemon [_thread_blocked, id=3900, stack(0x037f0000,0x03840000)]
0x04a00400 JavaThread "AWT-EventQueue-0" [_thread_in_native, id=5484, stack(0x054a0000,0x054f0000)]
0x049f7c00 JavaThread "TimerQueue" daemon [_thread_blocked, id=5588, stack(0x05400000,0x05450000)]
0x049de800 JavaThread "AWT-EventQueue-1" [_thread_blocked, id=5532, stack(0x053b0000,0x05400000)]
0x049de400 JavaThread "AWT-Shutdown" [_thread_blocked, id=5600, stack(0x05360000,0x053b0000)]
0x03ae8800 JavaThread "Keep-Alive-Timer" daemon [_thread_blocked, id=196, stack(0x03ef0000,0x03f40000)]
0x03909400 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=5020, stack(0x03b50000,0x03ba0000)]
0x03908000 JavaThread "CacheMemoryCleanUpThread" [_thread_blocked, id=5056, stack(0x03b00000,0x03b50000)]
0x03379400 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=4288, stack(0x03850000,0x038a0000)]
0x00fd6000 JavaThread "DestroyJavaVM" [_thread_blocked, id=4416, stack(0x01100000,0x01150000)]
0x03373800 JavaThread "Javaws Secure Thread" [_thread_blocked, id=4528, stack(0x037a0000,0x037f0000)]
0x03372400 JavaThread "AWT-Windows" daemon [_thread_in_native, id=6112, stack(0x03740000,0x03790000)]
0x0330d800 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=5580, stack(0x036a0000,0x036f0000)]
0x032ee400 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=4876, stack(0x035a0000,0x035f0000)]
0x032e8800 JavaThread "CompilerThread0" daemon [_thread_blocked, id=204, stack(0x03550000,0x035a0000)]
0x032e7400 JavaThread "Attach Listener" daemon [_thread_blocked, id=5080, stack(0x03500000,0x03550000)]
0x032e6400 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=4616, stack(0x034b0000,0x03500000)]
0x032de800 JavaThread "Finalizer" daemon [_thread_blocked, id=4860, stack(0x03460000,0x034b0000)]
0x032dd800 JavaThread "Reference Handler" daemon [_thread_blocked, id=4764, stack(0x03410000,0x03460000)]

Other Threads:
0x032dc800 VMThread [stack: 0x033c0000,0x03410000] [id=4748]
0x032f7c00 WatcherThread [stack: 0x035f0000,0x03640000] [id=4716]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

def new generation total 960K, used 892K [0x22af0000, 0x22bf0000, 0x22fd0000)
eden space 896K, 92% used [0x22af0000, 0x22bbf350, 0x22bd0000)
from space 64K, 100% used [0x22bd0000, 0x22be0000, 0x22be0000)
to space 64K, 0% used [0x22be0000, 0x22be0000, 0x22bf0000)
tenured generation total 4096K, used 3988K [0x22fd0000, 0x233d0000, 0x26af0000)
the space 4096K, 97% used [0x22fd0000, 0x233b53b0, 0x233b5400, 0x233d0000)
compacting perm gen total 12288K, used 4319K [0x26af0000, 0x276f0000, 0x2aaf0000)
the space 12288K, 35% used [0x26af0000, 0x26f27c68, 0x26f27e00, 0x276f0000)
ro space 8192K, 62% used [0x2aaf0000, 0x2aff2ba0, 0x2aff2c00, 0x2b2f0000)
rw space 12288K, 52% used [0x2b2f0000, 0x2b9388e0, 0x2b938a00, 0x2bef0000)

Dynamic libraries:
0x00400000 - 0x00423000 C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x50260000 - 0x502e5000 C:\WINDOWS\SYSTEM32\PAVSHOOK.DLL
0x50660000 - 0x5067d000 C:\WINDOWS\system32\systools.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\oleaut32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x76080000 - 0x760e5000 C:\WINDOWS\system32\MSVCP60.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\imagehlp.dll
0x3d930000 - 0x3da16000 C:\WINDOWS\system32\WININET.dll
0x00e20000 - 0x00e29000 C:\WINDOWS\system32\Normaliz.dll
0x78130000 - 0x78261000 C:\WINDOWS\system32\urlmon.dll
0x3dfd0000 - 0x3e1b8000 C:\WINDOWS\system32\iertutil.dll
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x7c340000 - 0x7c396000 C:\Program Files\Java\jre1.6.0_07\bin\msvcr71.dll
0x6d7c0000 - 0x6da10000 C:\Program Files\Java\jre1.6.0_07\bin\client\jvm.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x6d270000 - 0x6d278000 C:\Program Files\Java\jre1.6.0_07\bin\hpi.dll
0x6d770000 - 0x6d77c000 C:\Program Files\Java\jre1.6.0_07\bin\verify.dll
0x6d310000 - 0x6d32f000 C:\Program Files\Java\jre1.6.0_07\bin\java.dll
0x6d7b0000 - 0x6d7bf000 C:\Program Files\Java\jre1.6.0_07\bin\zip.dll
0x6d000000 - 0x6d12e000 C:\Program Files\Java\jre1.6.0_07\bin\awt.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
0x73760000 - 0x737ab000 C:\WINDOWS\system32\ddraw.dll
0x73bc0000 - 0x73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x6d1b0000 - 0x6d1c1000 C:\Program Files\Java\jre1.6.0_07\bin\deploy.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x5d090000 - 0x5d12a000 C:\WINDOWS\system32\comctl32.dll
0x6d210000 - 0x6d263000 C:\Program Files\Java\jre1.6.0_07\bin\fontmanager.dll
0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
0x5b860000 - 0x5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll
0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
0x722b0000 - 0x722b5000 C:\WINDOWS\system32\sensapi.dll
0x50200000 - 0x50219000 C:\WINDOWS\SYSTEM32\PavLspHook.DLL
0x41b60000 - 0x41b84000 C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavTrc.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x6d570000 - 0x6d583000 C:\Program Files\Java\jre1.6.0_07\bin\net.dll
0x77c70000 - 0x77c94000 C:\WINDOWS\system32\msv1_0.dll
0x76d60000 - 0x76d79000 C:\WINDOWS\system32\iphlpapi.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\System32\mswsock.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x6d750000 - 0x6d758000 C:\Program Files\Java\jre1.6.0_07\bin\sunmscapi.dll
0x68000000 - 0x68036000 C:\WINDOWS\system32\rsaenh.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x6d590000 - 0x6d599000 C:\Program Files\Java\jre1.6.0_07\bin\nio.dll
0x76fd0000 - 0x7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 - 0x77115000 C:\WINDOWS\system32\COMRes.dll
0x63380000 - 0x63434000 C:\WINDOWS\system32\jscript.dll
0x04da0000 - 0x05065000 C:\WINDOWS\system32\xpsp2res.dll
0x6d790000 - 0x6d7ad000 C:\Program Files\Java\jre1.6.0_07\bin\wsdetect.dll
0x7e720000 - 0x7e7d0000 C:\WINDOWS\system32\SXS.DLL
0x71ad0000 - 0x71ad9000 C:\WINDOWS\system32\wsock32.dll
0x038a0000 - 0x038d5000 C:\Documents and Settings\Gregory\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-44d1c173-n\WMINative.dll
0x74ef0000 - 0x74ef8000 C:\WINDOWS\system32\wbem\wbemprox.dll
0x75290000 - 0x752c7000 C:\WINDOWS\system32\wbem\wbemcomn.dll
0x74ed0000 - 0x74ede000 C:\WINDOWS\system32\wbem\wbemsvc.dll
0x75690000 - 0x75706000 C:\WINDOWS\system32\wbem\fastprox.dll
0x767a0000 - 0x767b3000 C:\WINDOWS\system32\NTDSAPI.dll

VM Arguments:
jvm_args: -Xbootclasspath/a:C:\Program Files\Java\jre1.6.0_07\lib\javaws.jar;C:\Program Files\Java\jre1.6.0_07\lib\deploy.jar\Program Files\Java\jre1.6.0_07\lib\security\javaws.policy -DtrustProxy=true -Xverify:remote -Djnlpx.home=C:\Program Files\Java\jre1.6.0_07\bin -Djnlpx.remove=true -Djnlpx.splashport=1353 -Djnlpx.jvm="C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe"
java_command: com.sun.javaws.Main C:\DOCUME~1\Gregory\LOCALS~1\Temp\javaws2
Launcher Type: SUN_STANDARD

Environment Variables:
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\
PATH=C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Panda Security\Panda Antivirus Pro 2009\;;"C:\Program Files\Java\jre1.6.0_07\bin"
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 2, AuthenticAMD

--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 2 (2 cores per cpu, 1 threads per core) family 15 model 107 stepping 2, cmov, cx8, fxsr, mmx, sse, sse2, sse3, mmxext, 3dnow, 3dnowext

Memory: 4k page, physical 1047724k(309584k free), swap 2323764k(1304916k free)

vm_info: Java HotSpot(TM) Client VM (10.0-b23) for windows-x86 JRE (1.6.0_07-b06), built on Jun 10 2008 01:14:11 by "java_re" with MS VC++ 7.1

time: Sat Jul 11 17:46:56 2009
elapsed time: 9 seconds

I will get back to you after I have followed your instructions.

Report •

Related Solutions

July 11, 2009 at 17:46:59
SuperAntiSpyware won't run. Almost immediately after you try to start the application, it puts up the dialog box that says it ran into a problem and needs to close with an offer to send a report to Microsoft.

Should I go ahead with the Malwarebytes Antimalware?

Report •

July 11, 2009 at 18:11:41
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

ExecuteAVUpdateEx( '', 1, '','','');

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called inside. Upload that file to and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 11, 2009 at 21:02:24
I'm sorry. Before I saw your response number 5, I discovered that there was "SuperAntiSpyware Alternate Start" available from my start menu. That alternate start worked, and I was able to start SuperAntiSpyware, update its database, and run a scan. Per your instructions, I fixed what it detected. Here is the log.

SUPERAntiSpyware Scan Log

Generated 10/27/2008 at 11:30 AM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:55:04

Memory items scanned : 350
Memory threats detected : 0
Registry items scanned : 5770
Registry threats detected : 0
File items scanned : 31235
File threats detected : 125

Adware.Tracking Cookie
C:\Documents and Settings\Gregory\Cookies\gregory@adv.webmd[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.elitedeals[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@americafirstcreditunion.122.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@citi.bridgetrack[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@realmedia[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@stats.lotsahelpinghands[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@cbs.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@sonycorporate.122.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.bridgetrack[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@bravenet[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@roiservice[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@countyfairgrounds[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www3.addfreestats[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@247realmedia[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@msnportal.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@e-2dj6wjlocndzalo.stats.esomniture[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@honoluluadvertiser[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ad2.adnetinteractive[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@revsci[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@casalemedia[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@trafficmp[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@register.uclick[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adopt.euroclick[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@serving-sys[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@burstnet[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ad.yieldmanager[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@data3.perf.overture[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@tribalfusion[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@upspiral[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.cachecounty[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@insightexpressai[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adknowledge[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@counter2.hitslink[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@publishers.clickbooth[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@vhost.oddcast[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adopt.specificclick[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@bilbo.counted[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.belointeractive[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@server.iad.liveperson[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.burstbeacon[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@media.adrevolver[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@m1.webstats4u[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.astrology-insight[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@fastclick[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@stat.dealtime[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.findarticles[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@tacoda[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@123count[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@advertising[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@data2.perf.overture[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@countomat[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.pointroll[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@bizrate[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@nextag[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@coolsavings[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@zedo[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@banner[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adviva[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@statse.webtrendslive[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-aviatechllc.hitbox[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@app.insightgrit[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@statcounter[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-knightridder.hitbox[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@banners.dragonfable[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-viacom.hitbox[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@mdnh.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@lyricsfind[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@eas.apm.emediate[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@cgi-bin[4].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.realtechnetwork[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@S120865[2].txt
C:\Documents and Settings\Gregory\Cookies\[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@taconycorporation.122.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adinterax[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-looksmart.hitbox[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adlegend[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@edge.ru4[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@specificmedia[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@findarticles[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@a.websponsors[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@specificclick[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@stat.onestat[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@nextstat[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@dealtime[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-foxsports.hitbox[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@media.adrevolver[3].txt
C:\Documents and Settings\Gregory\Cookies\gregory@adrevolver[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@qnsr[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@cgi-bin[5].txt
C:\Documents and Settings\Gregory\Cookies\gregory@bs.serving-sys[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@centralmediaserver[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@doubleclick[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@counter.surfcounters[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.cnn[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@icc.intellisrv[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.findagrave[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@reunioncom.112.2o7[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@findagrave[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@m1.webstats.motigo[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.multimania.lycos[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@questionmarket[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@findlinks[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@collective-media[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.googleadservices[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@apmebf[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ehg-foxmovies.hitbox[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@www.burstnet[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@bluestreak[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ecomadserver[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@tripod[2].txt
C:\Documents and Settings\Gregory\Cookies\gregory@server.cpmstar[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@dmtracker[1].txt
C:\Documents and Settings\Gregory\Cookies\[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@banners.battleon[1].txt
C:\Documents and Settings\Gregory\Cookies\[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@ads.revsci[1].txt
C:\Documents and Settings\Gregory\Cookies\gregory@findlinks.addresses[2].txt [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ] [ C:\Documents and Settings\Gregory\Application Data\Mozilla\Firefox\Profiles\zhg2gj0d.default\cookies.txt ]


Though the date at the top of the log is not today's date, this scan was run this evening.

Now that I have you up to date on my unauthorized adventures, I will wait for further instruction. In light of what I submitted in this posting, should I still follow your instructions from Response Number 5 above? I will do nothing until you have had time to reply to this. Thanks for your patience.

Report •

July 11, 2009 at 21:04:20
Oh, I should also tell you that I am still experiencing most of the symptoms at this point. The main ones being system freezes and the need to reset multiple times before Windows comes up properly.

Report •

July 11, 2009 at 21:09:25
Follow: Response Number 5

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Report •

July 13, 2009 at 19:12:39
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);
 QuarantineFile('C:\Documents and Settings\Gregory\Application Data\cft\cft.exe','');

2) After reboot execute following script in AVZ:


A file called should be created in C:\. Upload that file to and Private message me download link.

3) Attach a Combofix log, please review and follow these instructions carefully.

Download it here ->

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs ( Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to and paste the link here.

4) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 14, 2009 at 06:52:02
Uninstall Combofix by: pause Antivirus/Sypware programs ( Programs to disable) > Start > run > type combofix /u > ok.

Then Follow:

1) Run a full scan with

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\ESET\ESET Online Scanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial:

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 14, 2009 at 18:21:46
Here is the log from the on line scan:

Report •

Report •

July 14, 2009 at 18:39:10
The original problem is not completely fixed. So far, the system freezes are gone (so far as I know - it has not really been that long), and it boots up on the first try now. But I still get unsolicited popup ads, especially within about 30 seconds or less of starting up Firefox.

Report •

July 14, 2009 at 18:42:59
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #1

1) Ensure all Firefox windows are closed.

2) To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).

3) When prompted to run the scan, click Yes.

4) GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 14, 2009 at 18:51:15
GooredFix by jpshortstuff (12.07.09)
Log created at 19:49 on 14/07/2009 (Gregory)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:56 09/01/2006]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [17:47 15/12/2007]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [08:57 16/10/2008]



Report •

July 14, 2009 at 19:02:05
Redo: Response Number 2 again and post new set of logs.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 14, 2009 at 21:18:57
New logs from repeat of step 2:

Report •

July 14, 2009 at 21:23:59
Still getting unsolicited popup ads? If so:

Download and run Kaspersky AVP tool in safe mode:
Once you download and start the tool in safe mode:

# Check below options:

    * Select all the objects/places to be scanned. 

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to Post download link in your next message.

Illustrated tutorial:

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 16, 2009 at 17:11:24
Finished scan today. It found and removed 3 instances of something called 'not-a-virus', all in one installer file that we had downloaded. When I quit the AVP tool, it prompted me as to whether I wanted to let it completely uninstall itself. I foolishly okayed that suggestion, and so lost the log from the scan. We have not used the computer enough since then to know whether the problem is fixed, but I suspect it may be okay now. I will post again if I notice any more symptoms or have any more questions.

I want to thank you very much - it looks as if you have saved us.

Report •

July 16, 2009 at 18:38:18
Well, it appears there is still some sort of a problem. No more popups so far. But the system sort of hung up. The arrow cursor still moved, but clicking and double-clicking on desktop icons had no effect. I could not get any results by clicking on the task bar or start menu either. This did not clear until I pushed the reset button on the computer.

Report •

July 16, 2009 at 18:47:35
Run complete scan with: also download ccleaner and run its registry cleaner.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 17, 2009 at 06:25:27
Malwarebytes' Anti-Malware 1.39
Database version: 2450
Windows 5.1.2600 Service Pack 3

7/17/2009 7:19:51 AM
mbam-log-2009-07-17 (07-19-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193134
Time elapsed: 46 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log

Generated 07/17/2009 at 04:25 AM

Application Version : 4.26.1006

Core Rules Database Version : 4001
Trace Rules Database Version: 1941

Scan type : Complete Scan
Total Scan Time : 00:24:51

Memory items scanned : 459
Memory threats detected : 0
Registry items scanned : 5950
Registry threats detected : 0
File items scanned : 24554
File threats detected : 0

Report •

July 17, 2009 at 06:35:56
I don't know whether this helps with diagnosis or not, but my CD/DVD writing software, Nero, won't burn a disk. When I select that option, it goes to the dialog box to create a disk image on my hard drive. Also, file compression takes much longer than it should.

Report •

July 17, 2009 at 06:36:12
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);
 QuarantineFile('C:\Program Files\Mozilla Firefox\components\WWShow.dll','');
 DeleteFile('C:\Program Files\Mozilla Firefox\components\WWShow.dll');

2) After reboot execute following script in AVZ:


A file called should be created in C:\. Upload that file to and Private message me download link.

Follow these steps in order numbered:

1) Download GMER:
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 17, 2009 at 11:09:56
Regarding the AVZ part of response 25, AVZ reported successfully completing both scripts, but was empty.

Report •

July 17, 2009 at 11:20:37
Complete Gmer and redo Response Number 5.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Report •

July 17, 2009 at 18:27:25
Are you getting popups only in firefox browser or ie as well? Re-do Response Number 5 Step 1 make sure you have web browsers you use open in background before making the log. You might also want to scan your d drive for viruses.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 17, 2009 at 18:39:40

This time it was run with both browsers open. I have only seen the pop-ups in firefox. Also, I have not seen any pop-ups lately (for the last day or so.) I think we have solved that part of the problem. However, the system still gets sluggish, to the point where it is non-responsive after about an hour and needs to be rebooted.

Report •

July 17, 2009 at 18:41:04
Also, drive D is my DVD drive, and currently has no disk in it.

Report •

July 17, 2009 at 18:44:03
Seems all the problem are fixed. Download ccleaner and run its registry and temp cleaner.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 17, 2009 at 19:19:47
Thanks for the help, this has been a life saver. I now have three questions:
1. My Nero DVD/CD burner software quit working - I thought because of my infection. It will create a disk image on the hard drive but will not burn a disk. Should I uninstall and reinstall it?
2. This leads to the next question- Not being able to back up to CDs or DVDs, I backed up some photos, mail archives, and word files and the like to two USB thumb drives, which I fear may now be infected. Is there a way to clean these thumb drives and make them safe? I do not necessarily need the data on them since we saved my system.
3. Lastly, do you recommend any of the scanning products we have used as long-term protection - to help prevent future infections?

Once again, thanks for all your help. I am very grateful.
Harold Gregory

Report •

July 17, 2009 at 19:34:33
Yes reinstall nero. For 2 and 3 Q's. Install kaspersky/norton/mcafee/eset/bitdefender internet security suites and scan your usb with them.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Ask Question