Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help. Cant Update my Antivirus or Windows Defender!

  • This topic is locked This topic is locked
11 replies to this topic

#1 worth20mil


  • Members
  • 7 posts
  • Local time:12:31 PM

Posted 03 January 2009 - 04:14 PM

Help me or my father is going to kill me! Really he will abuse me!

DDS (Version 1.1.0) - NTFSx86
Run by Tan & Hang at 15:10:34.35 on Sat 01/03/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1140 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Tan & Hang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://vuilen.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb127\SearchSettings.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: iercptbho Class: {d4cdc21d-43be-4101-a1ef-e379f134771e} - c:\users\tan & hang\appdata\local\qip\iercpt.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb127\SearchSettings.dll
TB: {B7D3E479-CC68-42B5-A338-938ECE35F419} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {7EFBC57C-CD57-481F-B794-648FCE9C9116} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; DEL; 3P_USEC" -"http://www.adultswim.com/games/game/index.html?game=candymountain2"
mRun: [<NO NAME>]
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\tan & hang\appdata\roaming\microsoft\windows\start menu\programs\startup\.security
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\.security
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\tan & hang\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
AppInit_DLLs: c:\program,files\relevantknowledge\rlai.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-01-02 21:12 <DIR> --d----- c:\program files\Trend Micro
2009-01-02 15:30 <DIR> --d----- c:\program files\common files\Logitech
2008-12-30 20:31 850 a------- c:\windows\system32\ProductTweaks.xml
2008-12-30 20:31 385 a------- c:\windows\system32\user_gensett.xml
2008-12-30 20:27 <DIR> --d----- c:\users\tan&ha~1\appdata\roaming\BitDefender
2008-12-30 20:26 <DIR> --d----- c:\programdata\BitDefender
2008-12-30 20:26 <DIR> --d----- c:\program files\BitDefender
2008-12-30 20:26 <DIR> --d----- c:\progra~2\BitDefender
2008-12-30 20:25 <DIR> --d----- c:\program files\common files\BitDefender
2008-12-27 13:59 <DIR> --d----- c:\program files\Unity
2008-12-19 23:28 <DIR> --d----- c:\users\tan&ha~1\appdata\roaming\ValuSoft
2008-12-19 21:38 <DIR> --d----- c:\program files\MostFun
2008-12-19 20:51 <DIR> --dshr-- C:\resycled
2008-12-19 19:35 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2008-12-19 19:35 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2008-12-19 19:31 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-19 19:31 <DIR> --d----- c:\users\tan&ha~1\appdata\roaming\DAEMON Tools Lite
2008-12-17 08:24 <DIR> --d----- c:\programdata\NCH Swift Sound
2008-12-17 07:01 <DIR> --d----- c:\program files\Free Offers from Freeze.com
2008-12-16 08:32 <DIR> --d----- c:\users\tan&ha~1\appdata\roaming\Malwarebytes
2008-12-16 08:32 <DIR> --d----- c:\programdata\Malwarebytes
2008-12-16 08:32 <DIR> --d----- c:\progra~2\Malwarebytes
2008-12-16 07:33 <DIR> --d----- c:\program files\Trymedia
2008-12-16 06:40 <DIR> --d----- c:\programdata\119899227
2008-12-16 06:40 <DIR> --d----- c:\progra~2\119899227
2008-12-13 10:02 2,048 a------- c:\windows\system32\tzres.dll
2008-12-12 06:30 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-12 06:30 2,927,104 a------- c:\windows\explorer.exe
2008-12-12 06:29 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-12 06:29 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-12 06:29 827,392 a------- c:\windows\system32\wininet.dll
2008-12-12 06:29 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-12 06:29 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-12 06:29 94,720 a------- c:\windows\system32\logagent.exe
2008-12-07 17:04 <DIR> --d----- c:\programdata\Age of Empires 3 YPack Trial
2008-12-07 17:04 <DIR> --d----- c:\progra~2\Age of Empires 3 YPack Trial
2008-12-07 17:02 2,297,552 a------- c:\windows\system32\d3dx9_26.dll

==================== Find3M ====================

2008-11-30 12:23 2,560 a------- c:\windows\_MSRSTRT.EXE
2008-10-31 21:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 21:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 21:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 21:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 21:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-21 21:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-20 23:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-19 13:22 1,776 a------- c:\windows\system32\ealregsnapshot1.reg
2008-10-16 14:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 14:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-08-30 14:05 174 a--sh--- c:\program files\desktop.ini
2008-08-30 14:00 143,360 a------- c:\windows\inf\infstrng.dat
2008-08-30 14:00 86,016 a------- c:\windows\inf\infstor.dat
2008-08-30 14:00 51,200 a------- c:\windows\inf\infpub.dat
2008-08-30 13:34 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-20 21:20 6,797 a------- c:\program files\install.log
2007-12-15 20:27 32 a------- c:\programdata\ezsid.dat
2007-12-15 20:27 32 a------- c:\progra~2\ezsid.dat
2007-11-03 14:01 774,144 a------- c:\program files\RngInterstitial.dll
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:10:58.76 ===============

BC AdBot (Login to Remove)


#2 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:01:31 PM

Posted 15 January 2009 - 10:24 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer. I am looking over your log now, can you post up a new DDS log please.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:01:31 PM

Posted 19 January 2009 - 05:12 PM

This thread is closed due to inactivity.
If you need this topic reopened, please send me or another moderator a PM.

Reopened at the request of worth20mil

Edited by Hoov, 09 February 2009 - 09:01 AM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#4 worth20mil

  • Topic Starter

  • Members
  • 7 posts
  • Local time:12:31 PM

Posted 14 February 2009 - 12:53 PM

I have tried downlaoding a lot of Antivirus programs but none were free. AVG couldnt update (trial) either. I get a code 0x80244019 when I try to update Windows Defender. I cant buy any Antivirus because my dad doesnt know a lot about computers because he is Vietnamese and cant speak english. I'm only 12. I cant fix anything. I kept getting the code 0x80244019 :thumbsup: :) :) :) :) :bowdown: :bounce:

#5 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:01:31 PM

Posted 14 February 2009 - 04:07 PM

First, just relax, we will help you out with this, and get you fixed up. First of all, this may not be anyone fault. There appears to be one of the updates that broke this. Click on this link and do the updates thru there for Windows Defender. Once you have done those, try to update it the way you normally do. Let me know what happens.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 worth20mil

  • Topic Starter

  • Members
  • 7 posts
  • Local time:12:31 PM

Posted 14 February 2009 - 04:26 PM

I clicked on the link, and Google popped up -_- :thumbsup: :) :)

#7 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:01:31 PM

Posted 14 February 2009 - 04:44 PM

You have more than 1 problem.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

If you can't download the program or the updates from the links above, I will give you alternative links.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 worth20mil

  • Topic Starter

  • Members
  • 7 posts
  • Local time:12:31 PM

Posted 14 February 2009 - 07:04 PM

Ok this is what I got

Malwarebytes' Anti-Malware 1.34
Database version: 1736
Windows 6.0.6001 Service Pack 1

2/14/2009 6:02:32 PM
mbam-log-2009-02-14 (18-02-32).txt

Scan type: Quick Scan
Objects scanned: 62747
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/upas_0001_n93m1306netinstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\iercpt.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.DLL (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\UPAS_0001_N93M1306NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\AppData\Roaming\TrustedProtection (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\AppData\Roaming\TrustedProtection\Logs (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Seekeen (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\Local Settings\Application Data\qip (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickInstallPack (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\Downloaded Program Files\UPAS_0001_N93M1306NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\System32\msqpdxxrnjyqix.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Tan & Hang\AppData\Roaming\TrustedProtection\avtasks.dat (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\AppData\Roaming\TrustedProtection\Logs\av.log (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\AppData\Roaming\TrustedProtection\Logs\ga6Support.log (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\extravideo\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\msqpdxcbvpwysh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Tan & Hang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.security (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\.security (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\etc\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\.security (Rogue.Multiple) -> Quarantined and deleted successfully.

#9 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:01:31 PM

Posted 14 February 2009 - 07:13 PM

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Do not mouseclick combofix's window while it's running. That may cause it to stall

If you have a router, then do another scan with Malwarebytes' Anti-Malware and restart the computer. Then when the computer is restarting, unhook the router from the internet, then do a reset of the router, and then when the computer and router are back up, make sure you change the default password with a strong password. If you have just an external modem, just unplug the power from it, wait 2 minutes, then plug it back in.

If you don't have a router just unplug your modem from power for 2 minutes and then reconnect it.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 worth20mil

  • Topic Starter

  • Members
  • 7 posts
  • Local time:12:31 PM

Posted 14 February 2009 - 09:37 PM

I got this. So I will restart the router.

ComboFix 09-02-12.03 - Tan & Hang 2009-02-14 20:22:37.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1162 [GMT -6:00]
Running from: c:\users\Tan & Hang\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated)

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\program files\INSTALL.LOG

((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))

2009-02-14 17:09 . 2009-02-14 17:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-14 17:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-14 17:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-13 09:19 . 2009-02-13 09:19 <DIR> d-------- c:\program files\VstPlugins
2009-02-13 09:19 . 2009-02-13 09:19 <DIR> d-------- c:\program files\Outsim
2009-02-13 09:19 . 2002-07-07 16:14 1,294,336 --a------ c:\windows\System32\vorbis.acm
2009-02-13 09:19 . 2006-06-20 02:56 225,280 --a------ c:\windows\System32\rewire.dll
2009-02-13 09:16 . 2009-02-13 09:23 <DIR> d-------- c:\program files\Image-Line
2009-01-17 19:52 . 2009-01-17 19:52 <DIR> d-------- c:\program files\Perfect World Entertainment
2009-01-17 15:58 . 2009-01-17 15:58 <DIR> d-------- c:\windows\Favorites
2009-01-17 15:57 . 2009-01-17 15:57 <DIR> d-------- c:\program files\Sierra On-Line
2009-01-17 15:57 . 2009-01-17 15:57 <DIR> d-------- C:\Impressions Games
2009-01-17 15:57 . 2009-01-17 17:29 240 --a------ c:\windows\SIERRA.INI
2009-01-16 17:17 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-01-20 12:25 --------- d-----w c:\program files\Electronic Arts
2009-01-18 01:42 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\GetRightToGo
2009-01-17 23:29 --------- d-----w c:\program files\Microsoft Games
2009-01-17 16:51 --------- d-----w c:\program files\Windows Mail
2009-01-17 03:44 --------- d-----w c:\programdata\Electronic Arts
2009-01-17 02:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 00:28 --------- d-----w c:\programdata\WildTangent
2009-01-03 03:14 --------- d-----w c:\programdata\avg8
2009-01-03 03:12 --------- d-----w c:\program files\Trend Micro
2009-01-02 21:30 --------- d-----w c:\program files\Common Files\Logitech
2008-12-31 03:02 --------- d-----w c:\program files\Common Files\BitDefender
2008-12-31 02:31 --------- d-----w c:\programdata\BitDefender
2008-12-31 02:27 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\BitDefender
2008-12-31 02:26 --------- d-----w c:\program files\BitDefender
2008-12-31 02:20 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-12-31 01:27 --------- d-----w c:\programdata\WinZip
2008-12-27 19:59 --------- d-----w c:\program files\Unity
2008-12-23 23:16 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\uTorrent
2008-12-22 21:19 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\Microsoft Games
2008-12-20 18:28 --------- d-----w c:\programdata\Microsoft Games
2008-12-20 05:28 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\ValuSoft
2008-12-20 04:54 --------- d-----w c:\program files\MostFun
2008-12-20 04:02 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\PlayFirst
2008-12-20 04:02 --------- d-----w c:\programdata\PlayFirst
2008-12-20 03:59 --------- d-----w c:\programdata\iWin Games
2008-12-20 01:35 --------- d-----w c:\programdata\DAEMON Tools Lite
2008-12-20 01:31 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-20 01:31 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\DAEMON Tools Lite
2008-12-19 18:00 --------- d-----w c:\programdata\119899227
2008-12-17 14:37 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\NCH Swift Sound
2008-12-17 14:27 --------- d-----w c:\programdata\NCH Swift Sound
2008-12-16 14:32 --------- d-----w c:\users\Tan & Hang\AppData\Roaming\Malwarebytes
2008-12-16 14:32 --------- d-----w c:\programdata\Malwarebytes
2008-12-16 13:36 --------- d-----w c:\program files\earthlink totalaccess
2008-12-16 13:35 --------- d-----w c:\program files\GlobalStar Software
2008-12-16 13:34 --------- d-----w c:\program files\Trymedia
2008-12-16 12:57 --------- d-----w c:\program files\Nakido
2008-11-30 18:23 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-08-30 20:05 174 --sha-w c:\program files\desktop.ini
2007-12-16 02:27 32 ----a-w c:\users\All Users\ezsid.dat
2007-12-16 02:27 32 ----a-w c:\programdata\ezsid.dat
2007-11-03 20:01 774,144 ----a-w c:\program files\RngInterstitial.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"MSConfig"="c:\windows\system32\msconfig.exe" [2008-01-19 227840]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2008-06-12 991584]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-06 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-06 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-06 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 c:\windows\RtHDVCpl.exe]

"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup

[HKLM\~\startupfolder\C:^Users^Tan & Hang^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\users\Tan & Hang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-03-12 18:44 1773568 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 2006-09-28 07:42 65536 c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2006-12-08 10:16 65536 c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-07-06 20:15 8466432 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-07-06 20:15 81920 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2007-07-06 20:15 86016 c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
--a------ 2007-02-15 04:59 118784 c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnapfishMediaDetector]
--a------ 2007-03-02 15:55 1441792 c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 01:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-03-01 09:38 4390912 c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"{87D83E83-D333-467D-AE35-885B5CD76B41}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D9C31F46-BC7B-4F42-9D29-EF20E3BD4921}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8E28FB53-0613-4605-A2A4-A8D921636135}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CC72DC5A-C75C-49C7-A3E5-654B4AE2FFC5}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A0E68D27-0623-4BEA-B02A-3A45AFBA3B8E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{994D992D-FC82-4B65-B300-AC250F8D453E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D3153266-F3C2-423C-80DC-654067BE065C}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B397EA17-5F85-4598-B491-FF856B065299}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{932D3AB7-14C1-43C5-8A4C-32A78B476F6D}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0B4EF09A-0CA9-426D-BAE1-46DFD8F245A9}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{22F37EBB-95AA-464F-AF97-7C6D717ECCBB}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54CD0988-A40C-4FBE-9CDA-960E15AE998F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{1A17B542-134C-4489-A406-5CE8C710225B}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{E3A6A2AC-C742-4A8C-A16E-239FA79A90D1}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{835D3D76-139D-41C5-9864-936A2D6635A5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{1B9CAA77-8639-4F58-B77E-1E6A7A4F9D9C}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{DBC6FEAD-D34F-4325-9FCD-08171537CD2A}c:\\program files\\globalstar software\\school tycoon\\schooltycoon.exe"= UDP:c:\program files\globalstar software\school tycoon\schooltycoon.exe:SchoolTycoon
"UDP Query User{ECA2D9C5-795F-49B8-A8AC-F4D41A95984C}c:\\program files\\globalstar software\\school tycoon\\schooltycoon.exe"= TCP:c:\program files\globalstar software\school tycoon\schooltycoon.exe:SchoolTycoon
"TCP Query User{DAB54BD8-90C6-4D3A-B106-E49036D9F49D}c:\\program files\\global star software\\luxury liner tycoon\\cruise.exe"= UDP:c:\program files\global star software\luxury liner tycoon\cruise.exe:Main Executable
"UDP Query User{B3A4DF16-F5A9-4861-B2A8-8BBC8F8AFD88}c:\\program files\\global star software\\luxury liner tycoon\\cruise.exe"= TCP:c:\program files\global star software\luxury liner tycoon\cruise.exe:Main Executable
"TCP Query User{C058829A-265C-416E-ABC1-C995DDF111B4}c:\\program files\\activision value\\skateboard park tycoon 2004\\skate3.exe"= UDP:c:\program files\activision value\skateboard park tycoon 2004\skate3.exe:Skate3
"UDP Query User{F9411589-5E55-4962-82DA-12DFEBBE6928}c:\\program files\\activision value\\skateboard park tycoon 2004\\skate3.exe"= TCP:c:\program files\activision value\skateboard park tycoon 2004\skate3.exe:Skate3
"{9ACD8668-8046-4449-BEC2-A98FE9FD9154}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{529D94F2-1734-4613-BE73-23CB619764BC}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{0CCEED0A-70CE-4EB0-B1E5-C73915EA4461}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{E8276756-C6C7-4A16-AD5C-FAA0651F1F24}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{564A2A68-F388-475B-A83B-288CED2869EB}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{F68D74F9-9E58-4952-8624-6724278E6ADA}c:\\program files\\thq\\titan quest\\titan quest.exe"= UDP:c:\program files\thq\titan quest\titan quest.exe:Titan Quest
"UDP Query User{610B8F2F-5BEB-4C9C-895B-FE3A885EFB63}c:\\program files\\thq\\titan quest\\titan quest.exe"= TCP:c:\program files\thq\titan quest\titan quest.exe:Titan Quest
"{2E322C02-2979-47BA-8D48-E3ED1F06B563}"= UDP:c:\windows\Temp\~os2848.tmp\ossproxy.exe:ossproxy.exe
"{933ECE50-884D-48D6-9CF0-C692B47AC5F0}"= UDP:c:\program files\Nakido\nakido.exe:Nakido
"{CCB5C9A0-2B4A-44F4-94BF-0A3ED2BB69B7}"= TCP:c:\program files\Nakido\nakido.exe:Nakido
"{C53DAE0A-C125-4A36-A068-1C33251DF99D}"= Disabled:UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{15C65BF3-4B2C-4036-B09B-A51DDBB14852}"= Disabled:TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{38FE5294-9DD7-4FEA-8F30-24763173520A}c:\\ijji\\english\\u_gunz.exe"= Disabled:UDP:c:\ijji\english\u_gunz.exe:<ijji Downloader>
"UDP Query User{C8AFD7A6-A24A-4D39-ABB7-A3CE29DBE387}c:\\ijji\\english\\u_gunz.exe"= Disabled:TCP:c:\ijji\english\u_gunz.exe:<ijji Downloader>
"TCP Query User{E92F8A73-A9E3-45C9-9B4E-2561E78C785A}c:\\users\\tan & hang\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\y9pxegom\\9dragons_downloader_us_5-14-2008[1].exe"= Disabled:UDP:c:\users\tan & hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\y9pxegom\9dragons_downloader_us_5-14-2008[1].exe:9dragons_downloader_us_5-14-2008[1].exe
"UDP Query User{424272BD-B9F4-4927-B507-B49A657384CB}c:\\users\\tan & hang\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\y9pxegom\\9dragons_downloader_us_5-14-2008[1].exe"= Disabled:TCP:c:\users\tan & hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\y9pxegom\9dragons_downloader_us_5-14-2008[1].exe:9dragons_downloader_us_5-14-2008[1].exe
"TCP Query User{4D1DA6E7-3EC1-48DE-973C-E98BDB4C6400}c:\\users\\tan & hang\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\4l60wm68\\9dragons_downloader_us_5-14-2008[1].exe"= Disabled:UDP:c:\users\tan & hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\4l60wm68\9dragons_downloader_us_5-14-2008[1].exe:9dragons_downloader_us_5-14-2008[1].exe
"UDP Query User{17892F12-2667-4F8D-B247-DFA6A96B6737}c:\\users\\tan & hang\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\4l60wm68\\9dragons_downloader_us_5-14-2008[1].exe"= Disabled:TCP:c:\users\tan & hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\4l60wm68\9dragons_downloader_us_5-14-2008[1].exe:9dragons_downloader_us_5-14-2008[1].exe
"TCP Query User{2DEBA282-DCE8-45F8-92F9-70EF57B895A8}c:\\program files\\global star software\\airport tycoon 3\\at3.exe"= Disabled:UDP:c:\program files\global star software\airport tycoon 3\at3.exe:at3
"UDP Query User{ADAB3851-2D3E-4500-B12E-A253421C9958}c:\\program files\\global star software\\airport tycoon 3\\at3.exe"= Disabled:TCP:c:\program files\global star software\airport tycoon 3\at3.exe:at3
"TCP Query User{6BE571F8-0BD4-4D6F-9D7F-BAC26A259916}c:\\program files\\microsoft games\\halo trial\\halo.exe"= UDP:c:\program files\microsoft games\halo trial\halo.exe:Halo
"UDP Query User{A937ED8E-2512-4D60-B245-DF67394158CB}c:\\program files\\microsoft games\\halo trial\\halo.exe"= TCP:c:\program files\microsoft games\halo trial\halo.exe:Halo
"TCP Query User{24B1B65A-F559-4E4D-8C0A-3B5389B0047F}c:\\program files\\microsoft games\\halo custom edition\\haloce.exe"= UDP:c:\program files\microsoft games\halo custom edition\haloce.exe:Halo
"UDP Query User{C069D4EC-58E6-4985-BB38-6E95B639BB07}c:\\program files\\microsoft games\\halo custom edition\\haloce.exe"= TCP:c:\program files\microsoft games\halo custom edition\haloce.exe:Halo
"TCP Query User{984FB5D3-EAC4-425F-9C3E-BC839D0531CF}c:\\users\\tan & hang\\program files\\dna\\btdna.exe"= Disabled:UDP:c:\users\tan & hang\program files\dna\btdna.exe:btdna.exe
"UDP Query User{B95DB76B-CA0E-4184-AF27-5CE52F1F0022}c:\\users\\tan & hang\\program files\\dna\\btdna.exe"= Disabled:TCP:c:\users\tan & hang\program files\dna\btdna.exe:btdna.exe
"TCP Query User{5F25DC46-C36D-449F-9B11-B6D791B0344A}c:\\program files\\vtcgame\\dot kich\\crossfire.dat"= Disabled:UDP:c:\program files\vtcgame\dot kich\crossfire.dat:Client
"UDP Query User{B7E927A1-5491-4C76-BA13-B7FCF6EAAFE8}c:\\program files\\vtcgame\\dot kich\\crossfire.dat"= Disabled:TCP:c:\program files\vtcgame\dot kich\crossfire.dat:Client
"TCP Query User{DB25061D-DFFA-4877-A337-7D218D4850B7}c:\\program files\\maiet\\gunz\\gunzlauncher.exe"= Disabled:UDP:c:\program files\maiet\gunz\gunzlauncher.exe:GunzLauncher
"UDP Query User{9E6C80D9-8962-4CAE-9D8F-5B5CB25F1942}c:\\program files\\maiet\\gunz\\gunzlauncher.exe"= Disabled:TCP:c:\program files\maiet\gunz\gunzlauncher.exe:GunzLauncher
"{EE5C3792-30B2-4F3D-A8CC-67A171D7E925}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{0DA274C4-D37D-4C90-8060-F8EE9D7CB31E}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{8827625B-B77F-4182-B595-652F818C3CA5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{3514950F-4DE9-4D8F-9F17-E2E57DE8A36F}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{D2A7C4FE-167E-4278-9CAC-3CB5E2F1A98A}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{CCDF8060-DDFF-4F3D-9BEA-255DAA2F2471}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{DD96B23E-D794-45AE-9775-2489B34B0AFD}c:\\program files\\age of empires ii\\age2_x1\\age2_x1.exe"= Disabled:UDP:c:\program files\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"UDP Query User{E36EEBC9-DCFC-4CC7-BEFE-C0D95D44B3D4}c:\\program files\\age of empires ii\\age2_x1\\age2_x1.exe"= Disabled:TCP:c:\program files\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"{D81B779F-24C6-4923-A431-1833AAF52D97}"= Disabled:UDP:c:\ntreev\Grand Chase\main.exe:GrandChase
"{724CE822-6B08-4635-9DAE-509D2DA92A0E}"= Disabled:TCP:c:\ntreev\Grand Chase\main.exe:GrandChase
"TCP Query User{7700BB42-F0F1-4651-A1F1-20F91DA6E3C8}c:\\program files\\hasbro interactive\\rollercoaster tycoon demo\\rct.exe"= Disabled:UDP:c:\program files\hasbro interactive\rollercoaster tycoon demo\rct.exe:rct
"UDP Query User{46CCA243-C7A2-4466-B453-239AF7E5F15A}c:\\program files\\hasbro interactive\\rollercoaster tycoon demo\\rct.exe"= Disabled:TCP:c:\program files\hasbro interactive\rollercoaster tycoon demo\rct.exe:rct
"TCP Query User{6604EC4A-44FA-46B7-A36B-9F337721FC68}c:\\program files\\atari-infogrames\\roller coaster tycoon 2\\rct2.exe"= Disabled:UDP:c:\program files\atari-infogrames\roller coaster tycoon 2\rct2.exe:rct2
"UDP Query User{419AE36B-D53C-4EB0-AC5D-75327196C060}c:\\program files\\atari-infogrames\\roller coaster tycoon 2\\rct2.exe"= Disabled:TCP:c:\program files\atari-infogrames\roller coaster tycoon 2\rct2.exe:rct2
"TCP Query User{7F73B35B-8443-41B7-B6C6-A60BAAA4EC71}c:\\program files\\infogrames\\rollercoaster tycoon 2 wacky worlds\\rct2.exe"= Disabled:UDP:c:\program files\infogrames\rollercoaster tycoon 2 wacky worlds\rct2.exe:rct2
"UDP Query User{752B1F76-E034-4C44-B4DC-C44884655F3F}c:\\program files\\infogrames\\rollercoaster tycoon 2 wacky worlds\\rct2.exe"= Disabled:TCP:c:\program files\infogrames\rollercoaster tycoon 2 wacky worlds\rct2.exe:rct2
"TCP Query User{B2DBE6CE-F50A-4E09-A0E3-F84EDC741240}c:\\program files\\xfire\\xfire.exe"= Disabled:UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{DE586CEC-04F0-45A8-BFC0-738B26B524F4}c:\\program files\\xfire\\xfire.exe"= Disabled:TCP:c:\program files\xfire\xfire.exe:Xfire
"TCP Query User{08701F1A-84D7-4ABB-9279-DBB958D2C3D2}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{C022B034-F9F5-4667-B22A-9FF62475EBF6}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{BBA7A1E0-D2E2-422A-A8EA-EAB65963BB94}"= Disabled:UDP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable
"{515DB8FE-4E5B-464A-8AE8-43443D42A023}"= Disabled:TCP:c:\program files\Microsoft Games\Zoo Tycoon 2\zt.exe:Zoo Tycoon 2 Executable

"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe []

2009-02-15 c:\windows\Tasks\User_Feed_Synchronization-{6A06E2A4-673D-47EA-B3AB-BBCA0C13D7CA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 01:33]
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET

------- Supplementary Scan -------
uStart Page = hxxp://vuilen.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Tan & Hang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {83AB1213-D906-2F44-33F5-67FC387BB960} - hxxp://personalantispy.com/.ware/cab/personalantispy.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 20:26:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2009-02-14 20:28:23
ComboFix-quarantined-files.txt 2009-02-15 02:28:21

Pre-Run: 223,554,908,160 bytes free
Post-Run: 223,664,291,840 bytes free

257 --- E O F --- 2009-02-15 02:11:21

#11 worth20mil

  • Topic Starter

  • Members
  • 7 posts
  • Local time:12:31 PM

Posted 14 February 2009 - 09:59 PM

IT WORKED!!! MY WINDOWS DEFENDER UPDATED!!! I HAVE NO MORE MALARE!! THANK YOU SO MUCH HOOV. YOU SHOULD BE PAID 500$ A DAY!!! 1 more question though, do you know any good anti virus free, or just free version?

#12 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:01:31 PM

Posted 15 February 2009 - 03:41 PM

Of all the free antivirus's that I know of AVG in my opinion is by far the best. Make sure you get the free basic protection version and not the trial version.

Now there are something's you need to do to fully clean your system and keep it secure.

[*]Please download OTCleanIt from one of the following mirrors and save it to your desktop:[*]Double click the Posted Image icon.
[*] Click the large "Cleanup" button.
[*] A list of tool components used in the Cleanup of malware will be downloaded.
[*] Click Yes to begin the Cleanup process and remove these components, including this application.
[*] You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
[*] Make sure you have an Internet Connection.
[*] If you have a firewall that throws out a message that OTMI3 is attempting to contact the Internet that it should be allowed.
[*]You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.

Here are some good tutorials for that.
Windows Vista Restore Guide
Windows XP System Restore Guide
Re-enable system restore with instructions from tutorial above

Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall).

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Also see the following: Securing Your Web Browser
Working with Internet Explorer 6 Security

Use a different browser other than IE (most exploits are pointed towards IE). One of them is
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may Ave you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.

Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose.

Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.

MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List and Rogue Applications List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users