Google redirects, Virus Scan will not enable

Hewlett-packard / Dv2700
May 2, 2009 at 08:26:55
Specs: Windows VIsta
Please help me! My google search's redirect me to random pages, my McAfee on-access scanner will not enable, and my Dvd burner "is not recognized". Please help as soon as possible, I have exams coming up and need to use this computer. Thanks!

See More: Google redirects, Virus Scan will not enable

Report •


#1
May 3, 2009 at 15:02:31
Please post your Hijack This log and if you ran Malwarebytes click its icon on your desktop>click logs and post the log that was produced.

Report •

#2
May 3, 2009 at 15:15:10
Thank you soo much. Hopefully I can get this resolved by test time! I ran malware bytes two days ago and it found some files, which were quarantined and delted (dnschanger, etc.) I then deleted malware bytes. I reinstalled it just now and had to rename the .exes to get it to run. Here is the original log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

5/2/2009 2:00:19 PM
mbam-log-2009-05-02 (14-00-19).txt

Scan type: Quick Scan
Objects scanned: 66772
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d1f90fd-229b-43c8-a740-6551034fb036}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dd10482-45eb-4d87-be4c-fbacfa939231}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dd10482-45eb-4d87-be4c-fbacfa939231}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4d1f90fd-229b-43c8-a740-6551034fb036}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7dd10482-45eb-4d87-be4c-fbacfa939231}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7dd10482-45eb-4d87-be4c-fbacfa939231}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4d1f90fd-229b-43c8-a740-6551034fb036}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7dd10482-45eb-4d87-be4c-fbacfa939231}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7dd10482-45eb-4d87-be4c-fbacfa939231}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.205,85.255.112.202 -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigitalLabs (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DigitalLabs (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DigitalLabs\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-8-18-100019098-100025157-100029011-2299.com (Trojan.Agent) -> Quarantined and deleted successfully.


I ran it again now and it says nothing malicious was found. If you need that log please let me know.


Report •

#3
May 3, 2009 at 15:15:49
Here is my most recent Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:38 PM, on 5/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\AIM6\aim6.exe
C:\Users\Mark\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\tool.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Users\Mark\Desktop\toolb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Mark\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite...
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/f...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11938 bytes


Report •

Related Solutions

#4
May 3, 2009 at 15:42:04
Looks like you have some remnants from AVG that need to be removed.

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)


O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

Exit Hiajck This.

Go to start> control panel> java> about to assure that you have the newest version 6 update13, if not click the update tab> update now.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus, Windows Defender and any other antispyware that you may have.( You may need to go online to find out how to turn off your version of McAfee.)
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#5
May 3, 2009 at 16:45:35
Thanks again. Virus Scan was able to enable after this. Here is my log, anything else I need to do?

ComboFix 09-05-02.4 - Mark 05/03/2009 19:21.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.2322 [GMT -4:00]
Running from: c:\users\Mark\Desktop\toolbig.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\drivers\gxvxcsigctoqrmjstbyukwpswipeomimxrrpf.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxccpermpxtdshfremccnojgeuhxsipcttk.dll
c:\windows\system32\KBL.LOG
d:\recycler\S-1-8-18-100019098-100025157-100029011-2299.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-03 22:06 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 22:06 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 15:47 . 2008-06-24 17:45 1414440 ----a-w c:\windows\system32\ShellManager310E2D762.dll
2009-05-03 14:54 . 2009-05-03 14:54 -------- d-----w C:\SDFix
2009-05-03 00:19 . 2009-05-03 14:31 -------- d---a-w c:\programdata\TEMP
2009-05-03 00:19 . 2009-05-03 14:31 -------- d---a-w c:\users\All Users\TEMP
2009-05-02 23:44 . 2008-09-29 12:07 64432 ----a-w c:\windows\system32\drivers\mferkdet.sys
2009-05-02 23:44 . 2008-09-29 12:07 42424 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-02 23:44 . 2008-09-29 12:07 74648 ----a-w c:\windows\system32\drivers\mfeapfk.sys
2009-05-02 23:44 . 2008-09-29 12:07 90360 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-02 23:44 . 2008-09-29 12:07 62704 ----a-w c:\windows\system32\drivers\mfetdik.sys
2009-05-02 23:44 . 2008-09-29 12:07 340592 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-05-02 23:44 . 2008-09-29 12:07 67904 ----a-w c:\windows\system32\mfevtps.exe
2009-05-02 23:43 . 2009-05-02 23:43 -------- d-----w c:\program files\Common Files\McAfee
2009-05-02 17:55 . 2009-05-02 17:55 -------- d-----w c:\users\Mark\AppData\Roaming\Malwarebytes
2009-05-02 17:50 . 2009-05-02 17:50 -------- d-----w c:\programdata\Malwarebytes
2009-05-02 17:50 . 2009-05-02 17:50 -------- d-----w c:\users\All Users\Malwarebytes
2009-05-02 17:50 . 2009-05-03 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 22:40 . 2009-05-01 22:40 -------- d-----w c:\program files\Trend Micro
2009-05-01 21:08 . 2009-05-02 23:00 -------- d-----w C:\QUARANTINE
2009-05-01 20:33 . 2009-05-01 20:33 -------- d-----w C:\McAfee Anti-Spyware 8.7
2009-05-01 20:26 . 2009-05-01 20:26 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-05-01 20:26 . 2009-05-02 23:44 -------- d-----w c:\programdata\McAfee
2009-05-01 20:26 . 2009-05-02 23:44 -------- d-----w c:\users\All Users\McAfee
2009-05-01 20:25 . 2009-05-02 23:43 -------- d-----w c:\program files\McAfee
2009-05-01 20:23 . 2009-05-01 20:24 -------- d-----w C:\McAfee VirusScan 8.7
2009-04-15 14:29 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-15 14:29 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-15 14:29 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-15 14:08 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 14:08 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 14:08 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-07 02:22 . 2009-04-07 02:22 -------- d-----w c:\program files\AC3Filter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 23:19 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 15:49 . 2008-08-14 20:40 -------- d-----w c:\program files\Common Files\Nero
2009-05-02 21:56 . 2008-12-18 15:44 1356 ----a-w c:\users\Mark\AppData\Local\d3d9caps.dat
2009-05-02 14:09 . 2008-02-23 08:50 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-02 02:58 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-05-02 02:58 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-05-02 02:58 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-05-01 21:57 . 2008-11-26 02:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-01 18:51 . 2008-02-23 10:24 -------- d-----w c:\program files\Java
2009-04-16 07:12 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-17 19:53 . 2008-10-18 19:36 538 ----a-w c:\users\Mark\AppData\Roaming\wklnhst.dat
2009-03-17 03:38 . 2009-04-15 14:19 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 14:19 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 14:19 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-13 13:15 . 2009-03-13 13:15 -------- d-----w c:\program files\Xvid
2009-03-13 03:13 . 2009-03-13 03:13 -------- d-----w c:\program files\BitTorrent
2009-03-13 03:13 . 2009-03-13 03:13 -------- d-----w c:\program files\DNA
2009-03-11 18:17 . 2009-03-11 18:16 -------- d-----w c:\program files\iTunes
2009-03-11 18:17 . 2009-03-11 18:17 -------- d-----w c:\program files\iPod
2009-03-11 18:16 . 2009-03-11 18:13 -------- d-----w c:\program files\Common Files\Apple
2009-03-11 18:16 . 2009-03-11 18:16 -------- d-----w c:\program files\Bonjour
2009-03-11 18:16 . 2009-01-29 02:20 -------- d-----w c:\program files\QuickTime
2009-03-11 18:14 . 2009-03-11 18:14 -------- d-----w c:\program files\Apple Software Update
2009-03-08 00:38 . 2009-03-08 00:38 -------- d-----w c:\program files\SP41959
2009-03-03 04:46 . 2009-04-15 14:19 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 14:19 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 14:19 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 14:19 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 14:19 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 14:19 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 14:19 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 14:19 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 14:19 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 14:19 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-13 08:49 . 2009-04-15 14:19 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 14:19 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 14:16 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-03 18:51 . 2008-08-13 21:45 76960 ----a-w c:\users\Mark\AppData\Local\GDIPFONTCACHEV1.DAT
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-07-13 50480]
"BitTorrent DNA"="c:\users\Mark\Program Files\DNA\btdna.exe" [2009-03-13 321344]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2008-01-21 217088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{46406647-2382-4C5C-87AB-5BC87D3A28CF}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6DA9DFEA-0AB2-459C-A646-158182C75152}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8D404B90-DBB6-4C47-A835-44EFD4C04957}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{AC7D0598-8C3D-4E24-813A-E058A514B547}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B9BD04B8-8A4E-479F-9B66-3E6E74904126}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CF346E64-6138-4C33-8090-6208B5A38FD8}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{04820B17-7658-4344-A5B7-C41D45EF2E66}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B4BE955E-960C-4B09-90A5-C11E55463523}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3233706A-074C-4F28-8665-1BC990A4551C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2925D033-087C-4980-87A3-34529C2DA48F}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{9BD19807-9CF4-40F1-8907-5A89AF90676D}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{DC0E6A12-1252-4DF2-8E51-180281F1FF70}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"UDP Query User{9475B21C-1D49-4725-82A8-24B3472956FB}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"{10DE6B14-E283-4507-ACF6-FE05A2CFEBAC}"= Disabled:UDP:e:\setup\HPZnui01.exe:hpznui01.exe
"{6562BE49-DB06-40D7-9C24-34EDB32CC432}"= Disabled:TCP:e:\setup\HPZnui01.exe:hpznui01.exe
"{D03B6B1A-557B-47C6-9154-B6050E04840E}"= Disabled:UDP:e:\setup\hponicifs01.exe:hponicifs01.exe
"{5E00B9D5-4C0F-4CAF-A002-D77CF7867B4D}"= Disabled:TCP:e:\setup\hponicifs01.exe:hponicifs01.exe
"{0B2C71B5-7F18-483D-B5B0-ADC38D4D190B}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{02CC6A97-C075-4826-A629-5BBA8692BA7D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3F9DECA2-4A1C-41C5-9F65-E35B6BEFEB03}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{705C666F-9889-46AA-B40F-D77581BDDCD9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F78E2D2D-2D42-4E30-9BAE-0243E345F4BB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3017DA58-9103-47D6-AE67-57B55DDCAA94}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{43370B97-7267-4433-B3F9-4ECC41FF959C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{87F425E3-75B2-42C5-AD3D-B26D4DE4D934}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{DE370BCE-175A-4B8C-8963-1A01DAF776D3}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{C3C27B96-9F92-4B83-B9F3-93ADDA5C2C12}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{7268A1FC-5678-4FD2-9EDA-0C536E82088F}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{878AE6E4-0E92-4370-93BC-B7B6F742A7DD}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{93E8B44A-A8DE-488D-9316-BAD207E0C9C6}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2008-09-29 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 19:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-03 19:30
ComboFix-quarantined-files.txt 2009-05-03 23:29

Pre-Run: 197,768,871,936 bytes free
Post-Run: 199,238,774,784 bytes free

228 --- E O F --- 2009-05-01 14:53


Report •

#6
May 3, 2009 at 16:54:03
Looks much better.

Go to this link and follow the directions to disable then re-enable Vista system restore.(at the bottom of the page)

Vista System Restore

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

This Kaspersky scan takes 3hrs. or more to run...you can run it later but needs to be run.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#7
May 3, 2009 at 18:42:21
I am running the Kasperksy scan right now. So far so good. Is there anything I should do after this assuming that nothing turns up? I don't know what time zone you are in and don't want to keep you up for the results of the test. Also, once again, thank you so much. I can't say enough how grateful I am. You saved me from some major hassle tomorrow.

Report •

#8
May 3, 2009 at 19:21:31
If nothing turns up do this:

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


Report •

#9
May 3, 2009 at 20:56:39
Well, the scan finished with 2 infected items. here is the log: Thanks for any help on what to do from here

Sunday, May 3, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 04, 2009 02:32:35
Records in database: 2125275


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 166209
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 02:09:58

File name Threat name Threats count
C:\Qoobox\Quarantine\C\Windows\System32\gxvxccpermpxtdshfremccnojgeuhxsipcttk.dll.vir Infected: Trojan-Clicker.Win32.Small.aea 1

C:\Qoobox\Quarantine\D\RECYCLER\S-1-8-18-100019098-100025157-100029011-2299.com.vir Infected: Trojan-Spy.Win32.Agent.aojb 1

The selected area was scanned.


Report •

#10
May 4, 2009 at 03:50:56
Your computer appears to be clean.

Navigate to and delete this folder if found:

C:\Qoobox

It is the Combofix quarantine folder.


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#11
May 4, 2009 at 05:34:42
The computer seems to be running fine again. Thank you. The only problem is that when I attempt to uninstall HiJack This and Malware bytes from the add/remove programs it says that they are already unistalled. when I go to the folder in program files to try to delete them, it will not let me. Any advice? Thanks

Report •

#12
May 4, 2009 at 09:34:22
That is unusual but I have heard of it.

Click the Hijack This icon on your desktop to open Hijack This (if it is missing redownload it)> open the misc. tool section> open uninstall manager> select Hijack this> delete> select Malwarebytes> delete.

Exit Hijack This.

Navigate to and delete these folders:

C:\Program Files\Trend Micro

C:\Program Files\Malwarebytes' Anti-Spyware

Let me know if that worked.


Report •

#13
May 5, 2009 at 06:21:39
I am still not able to remove the malwarebytes folder. Everything deleted but mbamext.dll which it says I don't have permission to delete. Thanks again. Also, if I were using a public wi-fi network when I obtained the virus, is it safe to use that network again?

Report •

#14
May 5, 2009 at 14:35:41
Boot into safe mode and see if you can delete the file.

I have seen infected routers reinfect computers before, so it just depends on how well the system is secured. If your in doubt don't use it.


Report •


Ask Question