Help To Remove Antivirus Xp 2008, Etc

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Help To Remove Antivirus Xp 2008, Etc

Options

jeffmellinger View Member Profile	Jul 5 2008, 12:36 AM Post #16
Member Group: Members Posts: 20 Joined: 27-June 08 Member No.: 218,879	also, while running combofix, a file appeared on my desktop: [4]-Submit_2008-07-04@22.27.zip what is that? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:34:32 PM, on 7/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe F:\Program Files\Lavasoft\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\Write DVD!\saimon.exe F:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe F:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs / user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt"); user_pref("browser.download.dir", "D:\\downloads"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "www.google.com"); user_pref("browser.startup.homepage_override.mstone", N3 - Netscape 7: # Mozilla User Preferences / Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt"); user_pref("browser.download.dir", "D:\\downloads"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "www.google.com"); user_pref("browser.startup.homepage_override.mstone", O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 7697 bytes

Simon V. View Member Profile	Jul 5 2008, 05:11 AM Post #17
Senior Member Group: HJT Team Posts: 405 Joined: 26-September 07 Member No.: 159,255	Hi QUOTE also, while running combofix, a file appeared on my desktop: [4]-Submit_2008-07-04@22.27.zip what is that? I need you to upload that file, to this site > http://www.bleepingcomputer.com/submit-malware.php?channel=4 In the Link to topic where this file was requested: box, enter http://www.bleepingcomputer.com/forums/topic154529.html Click Browse..., navigate to [4]-Submit_2008-07-04@22.27.zip on your desktop, then click Open. Click Send File. You haven't installed an anti-virus program. Please do so (see instructions in my previous post), then post a new HijackThis log. -------------------- Simon V. So How Did I Get Infected In The First Place? Stand Up and Be Counted! My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

jeffmellinger View Member Profile	Jul 5 2008, 01:05 PM Post #18
Member Group: Members Posts: 20 Joined: 27-June 08 Member No.: 218,879	I installed Avira. It's running a scan right now. What should I do with everything when it's done? It's creating that Qoobox folder on my C: drive. I've set it to quarantine everything so how do I go about deleting it all when I'm done? Should I post a log for you to see first?

Simon V. View Member Profile	Jul 6 2008, 06:46 AM Post #19
Senior Member Group: HJT Team Posts: 405 Joined: 26-September 07 Member No.: 159,255	Hi To remove the items in Avira's quarantine, do the following - Open Avira AntiVir by double-clicking on the icon in the bottom right of your screen (next to your clock) Click on Administration in the left column, then click Quarantine. Select all the items in the list, and click Delete selected object(s) from quarantine (icon of a recycle bin). Please post a new HijackThis log in your next reply. -------------------- Simon V. So How Did I Get Infected In The First Place? Stand Up and Be Counted! My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

jeffmellinger View Member Profile	Jul 6 2008, 01:15 PM Post #20
Member Group: Members Posts: 20 Joined: 27-June 08 Member No.: 218,879	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:13:08 AM, on 7/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe F:\Program Files\Lavasoft\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\Write DVD!\saimon.exe F:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe F:\Program Files\Trend Micro\HijackThis\HijackThis.exe c:\program files\aim6\anotify.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs / user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt"); user_pref("browser.download.dir", "D:\\downloads"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "www.google.com"); user_pref("browser.startup.homepage_override.mstone", N3 - Netscape 7: # Mozilla User Preferences / Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt"); user_pref("browser.download.dir", "D:\\downloads"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "www.google.com"); user_pref("browser.startup.homepage_override.mstone", O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 8428 bytes

Simon V. View Member Profile	Jul 6 2008, 01:30 PM Post #21
Senior Member Group: HJT Team Posts: 405 Joined: 26-September 07 Member No.: 159,255	Hi Open HijackThis, perform a scan and put a check next to the following items (if present): O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe O4 - Startup: PowerReg Scheduler.exe Close all programs except HijackThis and click on Fix checked. _____________________ Please open Malwarebytes' Anti-Malware. Once the program has loaded, click on the Update tab, then click Check for Updates. If an update is found, it will download and install the latest version. Click on the Scanner tab, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. You can also access the log by doing the following: Click on the Malwarebytes' Anti-Malware icon to launch the program. Click on the Logs tab. Click on the log at the bottom of those listed to highlight it. Click Open. _____________________ Post the log from Malwarebytes' Anti-Malware and a new HijackThis log in your next reply. Also let me know how your computer is currently running. -------------------- Simon V. So How Did I Get Infected In The First Place? Stand Up and Be Counted! My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

jeffmellinger View Member Profile	Jul 8 2008, 01:41 AM Post #22
Member Group: Members Posts: 20 Joined: 27-June 08 Member No.: 218,879	should I delete those two files? Malwarebytes' Anti-Malware 1.19 Database version: 930 Windows 5.1.2600 Service Pack 2 11:39:39 PM 7/7/2008 mbam-log-7-7-2008 (23-39-36).txt Scan type: Full Scan (C:\\|D:\\|E:\\|F:\\|I:\\|) Objects scanned: 118752 Time elapsed: 55 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> No action taken. C:\System Volume Information\_restore{C232945B-5F22-47E7-9116-B88F46952712}\RP7\A0000799.exe (Rogue.AdvancedXPFixer) -> No action taken. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:41:09 PM, on 7/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe F:\Program Files\Lavasoft\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\Write DVD!\saimon.exe F:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe F:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs / user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt"); user_pref("browser.download.dir", "D:\\downloads"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "www.google.com"); user_pref("browser.startup.homepage_override.mstone", N3 - Netscape 7: # Mozilla User Preferences / Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt"); user_pref("browser.download.dir", "D:\\downloads"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "www.google.com"); user_pref("browser.startup.homepage_override.mstone", O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 8322 bytes

Simon V. View Member Profile	Jul 8 2008, 10:54 AM Post #23
Senior Member Group: HJT Team Posts: 405 Joined: 26-September 07 Member No.: 159,255	Hi QUOTE should I delete those two files? No need for that... How is your computer running? -------------------- Simon V. So How Did I Get Infected In The First Place? Stand Up and Be Counted! My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

jeffmellinger View Member Profile	Jul 8 2008, 06:59 PM Post #24
Member Group: Members Posts: 20 Joined: 27-June 08 Member No.: 218,879	it seems to be running pretty smoothly. no more random IE pop ups or stupid "Anti virus" programs. But my start menu still has what look like shortcuts to Advanced XP fixer and Antivirus XP 2008. how do I get rid of those?

Simon V. View Member Profile	Jul 9 2008, 12:39 AM Post #25
Senior Member Group: HJT Team Posts: 405 Joined: 26-September 07 Member No.: 159,255	Hi QUOTE(jeffmellinger @ Jul 9 2008, 01:59 AM) it seems to be running pretty smoothly. no more random IE pop ups or stupid "Anti virus" programs. But my start menu still has what look like shortcuts to Advanced XP fixer and Antivirus XP 2008. how do I get rid of those? Please right-click on those shortcuts and press Delete. Answer Yes to the prompt, then empty your Recycle Bin. This post has been edited by Simon V.: Jul 9 2008, 12:40 AM -------------------- Simon V. So How Did I Get Infected In The First Place? Stand Up and Be Counted! My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

jeffmellinger View Member Profile	Jul 9 2008, 01:21 AM Post #26
Member Group: Members Posts: 20 Joined: 27-June 08 Member No.: 218,879	Done. anything else?

Simon V. View Member Profile	Jul 9 2008, 11:59 AM Post #27
Senior Member Group: HJT Team Posts: 405 Joined: 26-September 07 Member No.: 159,255	Hi Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future: Click Start then Run.... Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there) This will uninstall Combofix. Make your Internet Explorer More Secure From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab. Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt. Change the Download unsigned ActiveX controls to Disable. Change the Initialise and script ActiveX controls not marked as safe to Disable. Change the Installation of desktop items to Prompt. Change the Launching programs and files in an IFRAME to Prompt. Change the Navigate sub-frames across different domains to Prompt. When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections. Here are a few (free) firewalls, please download and install one of them: Kerio Personall Firewall Comodo Free Firewall Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutorials/tutorial49.html Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released. You can also read this excellent article by TonyKlein: So how did I get infected in the first place? Follow this list and your potential for being infected again will reduce dramatically. -------------------- Simon V. So How Did I Get Infected In The First Place? Stand Up and Be Counted! My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

Simon V. View Member Profile	Jul 12 2008, 07:22 PM Post #28