BleepingComputer.com: XP security center virus and redirects

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 14:56:25 on 2011-12-15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.367.47 [GMT -5:00]
.
AV: Anti-Virus - Verizon Yahoo! Online Protection *Enabled/Outdated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\COMMON~1\AOL\114779~1\EE\AOLHOS~1.EXE
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Documents and Settings\Owner\Local Settings\Application Data\qin.exe
C:\PROGRA~1\COMMON~1\AOL\114779~1\EE\AOLServiceHost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3508
uStart Page = hxxp://frontier.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3508
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Regscan] c:\windows\system32\regscan.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [HostManager] c:\program files\common files\aol\1147794822\ee\AOLHostManager.exe
mRun: [CaAvTray] "c:\program files\yahoo!\antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\yahoo!\antivirus\CAVRID.exe"
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\eventm~1.lnk - c:\hallmark\EMREMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
LSP: mswsock.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155671341593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{AE2157C4-E2A1-41FA-9D30-4FEF4758B9D8} : DhcpNameServer = 192.168.1.1 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2006-8-15 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2006-8-15 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2006-8-15 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2006-8-15 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-8-15 26787]
R2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2006-8-15 259184]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2006-8-15 108360]
.
=============== File Associations ===============
.
.exe=ah
.
=============== Created Last 30 ================
.
2011-12-11 16:09:36 -------- d-----w- c:\documents and settings\all users\application data\ashampoo
2011-12-11 16:09:09 -------- d-----w- c:\program files\Ashampoo
2011-12-09 23:42:12 79872 ----a-w- c:\windows\system32\3Rb1l2O7d.com
2011-12-09 23:35:15 79872 ----a-w- c:\windows\system32\3Rb1l2O7d.com_
2011-12-09 23:08:06 286720 ----a-w- c:\documents and settings\owner\local settings\application data\qin.exe
.
==================== Find3M ====================
.
.
============= FINISH: 14:58:10.23 ===============

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432876 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
    
  • If you were unable to produce the logs originally please try once more.
    
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

I do still need help and I have posted the logs, no system cd available.

Thanks

Hello rob.linger

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic.

• Click on the Watch Topic button
  
• Select Immediate Notification
  
• Click on Proceed.

Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

Since it has been a while I would like to see some fresh logs.

Please follow the previous instructions to run DDS.

Note: There will be two logs generated, DDS.txt and Attach.txt. I will need to see both of them. There is no need to zip the Attach.txt.


Thanks!!

I can run the logs again if you'd like, but the computer has been off since the first post, so the logs would be exactly the same aside from dates.

Should I still re-run them?

Hi rob.linger,


Step 1.

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.


Step 2.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

In your next reply please include the following:

ComboFix.txt
TDSSKiller.txt


How is your computer running now? Any popups or redirects?


Thanks!!

Hi rob.linger,



Do you still need assistance?

Yes, I am working on the computer now. Been having issues getting combo fix running. But it's running now, only issue is I have a message that says pev.3xe is corrupt, should I just ignore this?

Ok, I just ignored the error and combo fix finished running, I also ran the TDSSKiller but no threats were found. The computer seems to be running better, but I am not sure if it's 100%, it has been a while since I used a computer that is so old with such a small amount of RAM, on DSL as well. I have attached the logs. Thanks

Hi rob.linger,


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue with the cleaning process please perform the following:


Note: Please do not attach logs unless specifically asked to. Copy and paste them directly into the body of the reply box.


Are you still using Verizon Yahoo! Online Protection as your anti-virus program?


Step 1.

I see remnants of MacAfee antivirus. To remove McAfee AntiVirus fully I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

For download and instruction to use McAfee Consumer Product Removal tool click on majorgeeks.com

• Download the removal tool
  
• Click Save and save the file to a folder on your computer.
  
• Navigate to the folder where the file was saved.
  
• Make sure all McAfee windows are closed.
  
• Double-click MCPR.exe to run the removal tool.
  
• Restart your computer after receiving the message CleanUp Successful.
  
• Your McAfee product will not be fully removed until the system is restarted.

Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
"DisableNotifications"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19930:TCP"=-
"57933:TCP"=-
"28540:TCP"=-
"60118:TCP"=-
"53931:TCP"=-
"56607:TCP"=-
"11557:TCP"=-
"22101:TCP"=-
"10566:TCP"=- 
"52223:TCP"=- 
"30754:TCP"=- 
"12375:TCP"=- 
"54203:TCP"=- 
"52166:TCP"=- 
"24594:TCP"=- 
"30723:TCP"=-
"60039:TCP"=- 
"46238:TCP"=- 
"62238:TCP"=- 
"53094:TCP"=-
"14047:TCP"=- 
"63950:TCP"=- 
"55915:TCP"=- 
"9352:TCP"=-
"32183:TCP"=-
"53524:TCP"=-
"38242:TCP"=-
"18476:TCP"=-
"59441:TCP"=-
"58711:TCP"=-
"21851:TCP"=-
"56975:TCP"=-
"40805:TCP"=-
"26047:TCP"=-
"39344:TCP"=-
"44344:TCP"=-
"32410:TCP"=-
"39778:TCP"=-
"52672:TCP"=-
"26332:TCP"=-
"44988:TCP"=-
"43883:TCP"=-
"13582:TCP"=-
"43273:TCP"=-
"59758:TCP"=-
"43461:TCP"=-
"30470:TCP"=-
"43786:TCP"=-
"45173:TCP"=-
"5188:TCP"=-
"12985:TCP"=- 
"16776:TCP"=- 
"10266:TCP"=- 
"23066:TCP"=- 
"48918:TCP"=- 
"17867:TCP"=-
"25016:TCP"=- 
"18578:TCP"=-
"29020:TCP"=- 
"5707:TCP"=- 
"6235:TCP"=-
"62726:TCP"=-
"58914:TCP"=-
"33160:TCP"=-
"24432:TCP"=-
"10832:TCP"=-
"8266:TCP"=-
"40586:TCP"=-
"64485:TCP"=-
"60457:TCP"=-
"28294:TCP"=-
"38170:TCP"=-
"33976:TCP"=-
"43996:TCP"=-
"39051:TCP"=-
"60020:TCP"=-
"38125:TCP"=-
"25117:TCP"=-
"11832:TCP"=-
"42508:TCP"=-
"27047:TCP"=-
"36003:TCP"=-
"49176:TCP"=-
"57835:TCP"=-
"37316:TCP"=-
"41336:TCP"=-
"7009:TCP"=-
"21138:TCP"=-
"17223:TCP"=-
"60101:TCP"=-
"12630:TCP"=-
"9266:TCP"=-
"6424:TCP"=-
"43898:TCP"=-
"40966:TCP"=-
"46118:TCP"=-
"63914:TCP"=-
"30508:TCP"=-
"15547:TCP"=-
"27020:TCP"=-
"46088:TCP"=-
"48504:TCP"=-
"42841:TCP"=-
"63488:TCP"=-
"41191:TCP"=-
"42219:TCP"=-
"30523:TCP"=-
"61388:TCP"=-
"21832:TCP"=-
"18865:TCP"=-
"43201:TCP"=-
"54961:TCP"=-
"53629:TCP"=-
"26211:TCP"=-
"46344:TCP"=-
"53273:TCP"=-
"17063:TCP"=-
"63513:TCP"=-
"6880:TCP"=-
"59227:TCP"=-
"52070:TCP"=-
"8082:TCP"=- 
"63546:TCP"=-
"50766:TCP"=-
"43508:TCP"=-
"59262:TCP"=-
"44325:TCP"=-
"29279:TCP"=-
"54116:TCP"=-
"39523:TCP"=-
"6266:TCP"=- 
"33113:TCP"=-
"31678:TCP"=-
"7759:TCP"=-
"12921:TCP"=-
"55512:TCP"=-
"24669:TCP"=-
"50836:TCP"=-
"48805:TCP"=-
"40410:TCP"=-
"52648:TCP"=-

AtJob::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note:

When CF finishes running, the ComboFix log will open. Please post that in your next reply.


Step 2.

Please download Malwarebytes' Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to this Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  
• If an update is found, the program will automatically update itself. Press the OK button and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  
• Click on the Scan button.
  
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked and then click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  
• Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


In your next reply please include the following:

Answer about antivirus
Combofix.txt <---------Do not attach
MBAM log<----------Do not attach


Thanks!!

This post has been edited by pwgib: 01 January 2012 - 08:04 PM
Reason for edit: extra space in fix

For now I will clean the computer, advice my neighbor of the issues and go from there.

I removed the yahoo Verizon software as it was outdated by about 4 years and also had no way to disable to allow combofix to run.

I will follow the steps provided above and post the logs, as soon as I get access to my neighbors computer again.

Thanks

If it would help you can connect the sick computer to the internet long enough to download and run any tools/fixes rquired.

Just be sure to disconnect when finished posting the logs. I will let you know when you may leave it connected.


Thanks!!

Here are the Logs:


ComboFix 12-01-03.07 - Owner 01/03/2012 17:23:53.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.367.113 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-01 18:35 . 2004-08-04 19:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-01-01 18:35 . 2004-08-04 19:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-11 16:09 . 2011-12-11 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
2011-12-11 16:09 . 2011-12-11 16:09 -------- d-----w- c:\program files\Ashampoo
2011-12-11 15:41 . 2011-12-11 15:41 -------- d-----w- c:\documents and settings\Administrator
2011-12-10 00:11 . 2011-12-10 00:11 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-12-09 23:42 . 2011-12-09 23:37 79872 ----a-w- c:\windows\system32\3Rb1l2O7d.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 14:20 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP6ddd.tmp
2011-12-16 14:17 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP001c.tmp
2011-12-16 14:13 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0099.tmp
2011-12-16 14:10 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP002c.tmp
2011-12-16 14:07 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP005d.tmp
2011-12-16 14:04 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00fa.tmp
2011-12-16 14:01 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0191.tmp
2011-12-16 13:58 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00d8.tmp
2011-12-16 13:55 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP029b.tmp
2011-12-16 13:52 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00b8.tmp
2011-12-16 13:49 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0162.tmp
2011-12-16 13:46 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP008d.tmp
2011-12-16 13:43 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0109.tmp
2011-12-16 13:39 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0098.tmp
2011-12-16 13:36 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0134.tmp
2011-12-16 13:33 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0133.tmp
2011-12-16 13:30 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP008c.tmp
2011-12-16 13:27 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00d7.tmp
2011-12-16 13:24 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0143.tmp
2011-12-16 13:21 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP05c7.tmp
2011-12-16 13:18 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP01c0.tmp
2011-12-16 13:15 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffef.tmp
2011-12-16 13:11 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP001b.tmp
2011-12-16 13:08 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00aa.tmp
2011-12-16 13:05 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPff9f.tmp
2011-12-16 13:02 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00c8.tmp
2011-12-16 12:59 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP008b.tmp
2011-12-16 12:56 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00b7.tmp
2011-12-16 12:53 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0115.tmp
2011-12-16 12:50 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPfffc.tmp
2011-12-16 12:47 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP006c.tmp
2011-12-16 12:44 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0124.tmp
2011-12-16 12:41 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00f9.tmp
2011-12-16 12:37 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00a9.tmp
2011-12-16 12:34 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00c7.tmp
2011-12-16 12:31 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0108.tmp
2011-12-16 12:28 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP005c.tmp
2011-12-16 12:25 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0154.tmp
2011-12-16 12:22 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP003b.tmp
2011-12-16 12:19 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0579.tmp
2011-12-16 12:16 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0181.tmp
2011-12-16 12:13 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP01a2.tmp
2011-12-16 12:09 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP024d.tmp
2011-12-16 12:06 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffce.tmp
2011-12-16 12:03 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0114.tmp
2011-12-16 12:00 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP003a.tmp
2011-12-16 11:57 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00f8.tmp
2011-12-16 11:54 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP007f.tmp
2011-12-16 11:51 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP007e.tmp
2011-12-16 11:48 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP007d.tmp
2011-12-16 11:45 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffee.tmp
2011-12-16 11:42 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00e6.tmp
2011-12-16 11:39 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP008a.tmp
2011-12-16 11:36 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP000e.tmp
2011-12-16 11:32 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP006b.tmp
2011-12-16 11:29 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffcd.tmp
2011-12-16 11:26 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP005b.tmp
2011-12-16 11:23 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP007c.tmp
2011-12-16 11:20 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0153.tmp
2011-12-16 11:17 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP054a.tmp
2011-12-16 11:14 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00e5.tmp
2011-12-16 11:11 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffde.tmp
2011-12-16 11:08 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0089.tmp
2011-12-16 11:04 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP000d.tmp
2011-12-16 11:01 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPff9e.tmp
2011-12-16 10:58 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP007b.tmp
2011-12-16 10:55 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP004b.tmp
2011-12-16 10:52 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00f7.tmp
2011-12-16 10:49 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0107.tmp
2011-12-16 10:46 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP006a.tmp
2011-12-16 10:43 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0106.tmp
2011-12-16 10:40 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP007a.tmp
2011-12-16 10:37 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00d6.tmp
2011-12-16 10:34 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0079.tmp
2011-12-16 10:31 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00a8.tmp
2011-12-16 10:27 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0105.tmp
2011-12-16 10:24 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP01ef.tmp
2011-12-16 10:21 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0088.tmp
2011-12-16 10:18 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP021e.tmp
2011-12-16 10:15 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0598.tmp
2011-12-16 10:12 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP02ba.tmp
2011-12-16 10:09 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP005a.tmp
2011-12-16 10:06 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00c6.tmp
2011-12-16 04:58 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0059.tmp
2011-12-16 04:55 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0069.tmp
2011-12-16 04:52 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffdd.tmp
2011-12-16 04:49 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP002b.tmp
2011-12-16 04:46 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffed.tmp
2011-12-16 04:43 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPff21.tmp
2011-12-16 04:40 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPff20.tmp
2011-12-16 04:37 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPffec.tmp
2011-12-16 04:34 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0104.tmp
2011-12-16 04:30 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP000c.tmp
2011-12-16 04:27 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP004a.tmp
2011-12-16 04:24 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP00b6.tmp
2011-12-16 04:21 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP001a.tmp
2011-12-16 04:18 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0087.tmp
2011-12-16 04:15 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP000b.tmp
2011-12-16 04:12 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMPfffb.tmp
2011-12-16 04:09 . 2006-05-16 15:28 94208 ----a-w- c:\windows\DUMP0327.tmp
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-01_19.50.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-03 22:06 . 2012-01-03 22:06 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HostManager"="c:\program files\Common Files\AOL\1147794822\EE\AOLHostManager.exe" [2004-11-03 125528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-16 98304]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10u_ActiveX.exe" [2011-07-18 243360]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Event Minder Reminders.lnk - c:\hallmark\EMREMIND.EXE [2010-3-16 6240]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-5-16 2168360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147794822\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\At1.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At10.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At11.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At12.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At13.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At14.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At15.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At16.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-10 c:\windows\Tasks\At17.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-10 c:\windows\Tasks\At18.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At19.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At2.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At20.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At21.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At22.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At23.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At24.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2012-01-01 c:\windows\Tasks\At25.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2012-01-01 c:\windows\Tasks\At26.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At27.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At28.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At29.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At3.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At30.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-15 c:\windows\Tasks\At31.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-15 c:\windows\Tasks\At32.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-15 c:\windows\Tasks\At33.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-15 c:\windows\Tasks\At34.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At35.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At36.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At37.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-10 c:\windows\Tasks\At38.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-10 c:\windows\Tasks\At39.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At4.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-10 c:\windows\Tasks\At40.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At41.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At42.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At43.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At44.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At45.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At46.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At47.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At48.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At5.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At6.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At7.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At8.job
- c:\windows\system32\3Rb1l2O7d.com_ [2011-12-09 23:37]
.
2011-12-09 c:\windows\Tasks\At9.job
- c:\windows\system32\3Rb1l2O7d.com [2011-12-09 23:37]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-726758628-2395302696-704199521-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-11 15:47]
.
2006-08-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
2006-08-04 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://frontier.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 17:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-03 17:56:50
ComboFix-quarantined-files.txt 2012-01-03 22:56
.
Pre-Run: 143,083,200,512 bytes free
Post-Run: 143,076,794,368 bytes free
.
- - End Of File - - AE158363BC8B5CCE43A6B0AF9DB8422E


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.03.05

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: TERRY [administrator]

1/3/2012 7:08:58 PM
mbam-log-2012-01-03 (19-08-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 172837
Time elapsed: 25 minute(s), 59 second(s)

Memory Processes Detected: 1
C:\WINDOWS\system32\3Rb1l2O7d.com (Trojan.Email) -> 184 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\system32\3Rb1l2O7d.com (Trojan.Email) -> Delete on reboot.
C:\WINDOWS\system32\3Rb1l2O7d.com_ (Trojan.Email) -> Quarantined and deleted successfully.

(end)

Hi rob.linger,


Step 1.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
  
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

Step 2.

We need to create an OTL Report

• Please download OTL from the following mirror:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

In your next reply please include the following:


FSS.txt
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


How is your computer running? Any redirects or popups?


Thanks!!

Hi rob.linger,


Are you still with me?