Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtulmonde or 2009 virus?


  • This topic is locked This topic is locked
12 replies to this topic

#1 Kenna

Kenna

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Illinois
  • Local time:01:55 AM

Posted 25 January 2009 - 11:18 AM

Hi. I'm not sure if I deleted a required file or whether I've caught a virus. I used Advanced System Care yesterday to clean my computer files & registry. I also used the Hijack This & went to the web site and tried to delete the files that were identified by an "X". It would not delete them. I don't know if I've caught a virus or screwed up my system myself :thumbup2: . All my identiies on my Office Outlook email are gone, along with many other issues with Office 2007. Everytime I go to open a folder on my desktop, or anywhere else for that matter, or a program, I get a pop up that is asking for the "SmartWebPrinting.msi" file. It tries to install it and can't find it so I have to hit "cancel" two or three times to open anything. I've searched for it on the internet or any issues with it and all I come up with are ones with issues from other countries.

Can you please help me out? :)
Thank you in advance for any help you can be!

Here is my DDS.txt log.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Mom & Dad at 9:59:54.06 on Sun 01/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: NoExplorer - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://static.slide.com/uploader/SlideImageUploader.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mind-medley/gamehouseplayer.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--bf089f4a-4469-4bda-86ca-8089b1ac5d44/online/luxor/en/mjolauncher.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210205272_5b9ebca56a19c0617a6558643a29d6c3&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.gamehouse.com/games/JBGamePlayer.cab
DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://www.charter.net/files/charter/securitysuite/fscax.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game14.zylom.com/activex/zylomgamesplayer.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://cid-ceea5055811c1607.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://www.gamehouse.com/realarcade-webgames/sandscript/SandScript.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--13fb84fc-72a7-4624-ba77-0425044eb738/online/zuma_new/en/popcaploader_v10.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxps://wwwd.my.af.mil/ASPs/DocMan/XUpload.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: acAuth - acauth.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mom&da~1\applic~1\mozilla\firefox\profiles\fbxxct8g.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon2\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon2\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon2\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon2\components\hpSmartWebPrinting.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: g:\programs\ksolo\npAVX.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-25 08:50 <DIR> --d----- c:\docume~1\mom&da~1\applic~1\SUPERAntiSpyware.com
2009-01-25 08:50 <DIR> --d----- c:\windows\SUPERAntiSpyware.com
2009-01-25 08:50 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-25 08:39 <DIR> --d----- c:\docume~1\mom&da~1\applic~1\ErrorFix
2009-01-25 08:38 <DIR> --d----- c:\program files\ErrorFix
2009-01-25 08:37 <DIR> --d----- c:\program files\Downloaded Installers
2009-01-25 05:02 552 a------- c:\windows\system32\DO_NOT_DELETE.backupSetID
2009-01-24 22:43 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-24 22:43 <DIR> --d----- c:\program files\Panda Security
2009-01-24 00:45 <DIR> --d----- c:\docume~1\mom&da~1\applic~1\Fabulous Finds
2009-01-18 19:59 <DIR> --d----- c:\program files\common files\Windows Live
2009-01-16 12:04 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-16 12:04 1,409 a------- c:\windows\QTFont.for
2008-12-26 16:40 <DIR> --d----- c:\program files\ProductTools_ND

==================== Find3M ====================

2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-05-01 19:39 0 a------- c:\program files\temp01
2007-02-03 13:35 65,360 ac------ c:\docume~1\mom&da~1\applic~1\GDIPFONTCACHEV1.DAT
2006-12-21 19:42 774,144 a------- c:\program files\RngInterstitial.dll
2006-12-18 18:21 251 ac------ c:\program files\wt3d.ini
2008-05-28 17:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052820080529\index.dat

============= FINISH: 10:00:27.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:55 AM

Posted 07 February 2009 - 06:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Kenna

Kenna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Illinois
  • Local time:01:55 AM

Posted 08 February 2009 - 08:06 PM

Hi. Thank you for getting back with me. I'm not sure if I just deleted a wrong file or if I have a virus. I did notice that one of my user profiles in windows is gone. I created a new one and the new one seems to be working fine but I'm stumped as to how I lost the old one! Anyway, here's my text file as requested above: Thank you in advance for your assistance.

Attached Files

  • Attached File  DDS.txt   15.5KB   1 downloads

Edited by Kenna, 08 February 2009 - 08:08 PM.


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:55 AM

Posted 08 February 2009 - 10:46 PM

Hello, Kenna
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Kenna

Kenna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Illinois
  • Local time:01:55 AM

Posted 09 February 2009 - 08:54 PM

Hi! Thanks for the quick reply! I did what you asked and here's my log:

It also gave me the attached "catchme" log. I have SpyBot and it looked like it was trying to change some registry entries after the log.txt file was produced.

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:55 AM

Posted 10 February 2009 - 06:24 PM

Hello, Kenna
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    folder::
    c:\program files\ErrorFix
    file::
    c:\windows\Tasks\ErrorFix Scan.job
    c:\windows\Tasks\Uniblue SpeedUpMyPC.job
    DDS::
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.gamehouse.com/games/JBGamePlayer.cab
    DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game14.zylom.com/activex/zylomgamesplayer.cab
    DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://www.gamehouse.com/realarcade-webgames/sandscript/SandScript.cab
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Kenna

Kenna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Illinois
  • Local time:01:55 AM

Posted 10 February 2009 - 10:30 PM

Hi Billy! Sorry it took so long to get back to you but I work during the day and had to wait until this evening. Per your instructions, I did what you said and here's my log:

ComboFix 09-02-08.02 - Kenna 2009-02-10 21:22:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.442 [GMT -6:00]
Running from: c:\documents and settings\Kenna\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kenna\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\Uniblue SpeedUpMyPC.job
.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-09 19:39 . 2009-02-09 19:39 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-09 19:39 . 2009-02-09 19:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-08 18:40 . 2009-02-08 18:40 552 --a------ c:\windows\system32\DO_NOT_DELETE.backupSetID
2009-02-06 19:54 . 2009-02-06 19:54 <DIR> d-------- c:\documents and settings\Kenna\Application Data\PureEdge
2009-02-05 20:34 . 2009-02-05 20:34 <DIR> d-------- c:\documents and settings\Kenna\Application Data\TheScruffs
2009-02-04 20:28 . 2009-02-04 20:28 <DIR> d-------- c:\documents and settings\Kenna\Saved Games
2009-02-04 20:27 . 2009-02-04 20:27 <DIR> d-------- c:\documents and settings\Kenna\Application Data\iWin
2009-02-04 18:46 . 2009-02-04 21:01 <DIR> d-------- c:\program files\Jewel Quest 2
2009-02-04 18:45 . 2009-02-06 21:02 <DIR> d-------- c:\program files\The Scruffs
2009-02-04 18:43 . 2009-02-04 18:43 <DIR> d-------- c:\program files\Amazon
2009-02-04 18:43 . 2009-02-04 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Amazon
2009-02-02 19:07 . 2009-02-02 19:09 <DIR> d-------- c:\documents and settings\Kenna\.housecall6.6
2009-02-02 06:59 . 2009-02-02 06:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-02 06:17 . 2009-02-02 06:17 <DIR> d-------- c:\program files\Live_TV
2009-02-02 06:15 . 2009-02-02 06:15 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-02 06:15 . 2009-02-02 06:15 <DIR> d-------- c:\program files\Adobe Media Player
2009-02-01 22:15 . 2009-02-01 22:15 <DIR> d-------- c:\documents and settings\Adom.PC250183054974\Application Data\HPAppData
2009-02-01 21:53 . 2009-02-01 21:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software
2009-02-01 20:43 . 2009-02-01 20:43 <DIR> d-------- c:\documents and settings\Kenna\.thumbnails
2009-02-01 20:43 . 2009-02-01 20:43 <DIR> d-------- c:\documents and settings\Kenna\.gimp-2.4
2009-02-01 20:13 . 2009-02-01 20:13 <DIR> d-------- c:\documents and settings\Kenna\Application Data\Template
2009-02-01 20:13 . 2009-02-01 20:13 0 --a------ c:\documents and settings\Kenna\Application Data\wklnhst.dat
2009-02-01 19:57 . 2009-02-01 19:57 <DIR> d-------- c:\documents and settings\Kenna\Application Data\Yahoo!
2009-02-01 19:57 . 2009-02-10 21:20 <DIR> d-------- c:\documents and settings\Kenna\Application Data\StumbleUpon
2009-02-01 19:57 . 2009-02-10 21:21 <DIR> d-------- c:\documents and settings\Kenna\Application Data\HPAppData
2009-02-01 19:51 . 2009-02-01 19:51 <DIR> d-------- c:\documents and settings\Kenna\Application Data\HP
2009-02-01 19:50 . 2006-09-20 00:31 <DIR> d-------- c:\documents and settings\Kenna\Application Data\Intuit
2009-02-01 19:50 . 2009-02-04 20:28 <DIR> d-------- c:\documents and settings\Kenna
2009-02-01 16:36 . 2009-02-01 16:36 <DIR> d-------- c:\program files\RegCleaner
2009-02-01 14:39 . 2009-02-01 14:39 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com
2009-02-01 14:39 . 2009-02-01 14:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-25 08:50 . 2009-01-25 08:50 <DIR> d-------- c:\windows\SUPERAntiSpyware.com
2009-01-25 08:50 . 2009-02-01 14:39 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-24 22:43 . 2009-01-24 22:43 <DIR> d-------- c:\program files\Panda Security
2009-01-24 22:43 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-18 19:59 . 2009-01-18 19:59 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-01-16 12:04 . 2009-01-16 12:04 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-16 12:04 . 2009-01-16 12:04 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 00:52 --------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-02-10 01:39 --------- d-----w c:\program files\Java
2009-02-03 01:07 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-02-02 14:22 --------- d-----w c:\program files\Lavasoft
2009-02-02 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-02 14:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-02 12:36 --------- d-----w c:\program files\Yahoo!
2009-02-02 04:15 --------- d-----w c:\documents and settings\Adom.PC250183054974\Application Data\StumbleUpon
2009-02-01 23:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 01:14 --------- d-----w c:\documents and settings\Adom.PC250183054974\Application Data\AVG7
2009-01-24 21:07 --------- d-----w c:\program files\GameHouse
2009-01-24 21:07 --------- d-----w c:\program files\Common Files\Remote Control Software Common
2009-01-24 21:07 --------- d-----w c:\program files\BFG
2009-01-24 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2009-01-24 06:43 --------- d-----w c:\program files\HP Games
2009-01-21 03:22 --------- d-----w c:\program files\Real
2009-01-21 03:20 --------- d-----w c:\program files\Live Search Club Toolbar
2009-01-21 03:17 --------- d-----w c:\program files\Citrix
2009-01-15 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 03:47 --------- d-----w c:\program files\StumbleUpon
2008-12-26 22:40 --------- d-----w c:\program files\ProductTools_ND
2008-12-24 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-24 18:31 --------- d-----w c:\program files\TomTom HOME
2008-12-20 20:37 --------- d-----w c:\documents and settings\All Users\Application Data\JollyBear
2008-12-20 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-12-20 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\BlockBreaker
2008-12-19 23:03 --------- d-----w c:\documents and settings\All Users\Application Data\Beanbag Studios
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-05-02 01:39 0 ----a-w c:\program files\temp01
2006-12-22 01:42 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-12-19 00:21 251 -c--a-w c:\program files\wt3d.ini
2008-05-28 23:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052820080529\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-09_19.46.06.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-11 03:04:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7d8.dat
+ 2009-02-11 03:04:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_810.dat
+ 2009-02-11 03:06:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_a00.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-11-05 64880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 148888]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\Kenna\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
2002-12-17 15:11 65536 c:\windows\system32\acauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
--a------ 2005-07-04 09:50 643072 c:\program files\PureEdge\Viewer 6.5\masqform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"LightScribeService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-24 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 ACachSrv;ActivCard Authentication Service;c:\program files\Common Files\ActivCard\acachsrv.exe [2002-12-17 135168]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2002-11-29 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2002-08-12 159744]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-02-04 317440]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-11-05 25968]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 fsbl;F-Secure BlackLight Engine Driver; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SCMUSB;SCR301 USB Smart Card Reader;c:\windows\system32\drivers\stcusb.sys [2006-12-18 18912]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-21 44928]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [2008-12-18 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-02-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149338128-2202370049-1099762626-1005.job
- c:\documents and settings\Mom & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 09:23]

2009-01-19 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\temp\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2009-02-11 c:\windows\Tasks\User_Feed_Synchronization-{7B1514DA-8726-4936-8441-06CFCA8AE9FD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mind-medley/gamehouseplayer.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.gamehouse.com/games/JBGamePlayer.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game14.zylom.com/activex/zylomgamesplayer.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://cid-ceea5055811c1607.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://www.gamehouse.com/realarcade-webgames/sandscript/SandScript.cab
FF - ProfilePath - c:\documents and settings\Kenna\Application Data\Mozilla\Firefox\Profiles\alzup0fc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 21:23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-10 21:24:49
ComboFix-quarantined-files.txt 2009-02-11 03:24:46
ComboFix2.txt 2009-02-11 03:15:26
ComboFix3.txt 2009-02-10 01:47:14
ComboFix4.txt 2008-01-28 23:35:06

Pre-Run: 58,442,293,248 bytes free
Post-Run: 58,425,872,384 bytes free

210

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:55 AM

Posted 10 February 2009 - 11:21 PM

Hello, Kenna
No problem :thumbup2: That's not long at all. Some posters take weeks ;)

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Kenna

Kenna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Illinois
  • Local time:01:55 AM

Posted 12 February 2009 - 06:23 AM

Billy,
Hi! Here's the file you requested after the scan:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2624 (20071029)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a58155a28318d1488858acaf0e5975ec
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-12 05:39:57
# local_time=2009-02-11 11:39:57 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=510734
# found=1
# scan_time=6994
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:55 AM

Posted 12 February 2009 - 08:17 PM

Hello, Kenna
Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Kenna

Kenna
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Illinois
  • Local time:01:55 AM

Posted 14 February 2009 - 09:21 AM

Billy,
First off, thank you VERY much for all your assistance. I do have a few more questions though. I uninstalled Combofix and installed Spyware Blaster and the MVP Hosts File using the HostMan host file manager. I already have the SuperAntiSpyware program so I don't need that one. I am ignorant when it comes to how the Hosts file works. Is there anything else I need to do with it or does it run updates automatically? That's the first time that I've dealt with using one of these programs.

We deactivated my SpyBot Search & Destroy earlier. Do I need to reactivate it? I also run Microsfot Windows Live OneCare on my system. Are all these programs going to "communicate" ok or will they "argue" persay?

The main reason that I thought I had something on my computer was because my main profile that I used to use lost all of my settings. I can't get to my email, all my docs were gone, when I went to the start menu and clicked on it, there was no settings at all on the bottom left, and everytime I tried to save something on my desktop, it would save but when I would relog back on, it was gone! Even things I would put in the recycle bin would be gone when I relogged back on.

I set up another profile and have been using that one and it seems fine. I had restored lost files using windows live onecare but there are 2 excel files that I had password protected that I am unable to open as they were encrypted. I think I can remember the password but when I restored them using windows one care, it will not let me reopen them. It gives me this message that they're encrypted. I've tried changing the properties on them but it won't let me do anything with them. Do you have any suggestions for that or is there another place on this site I could check with someone? I can deal with losing my profile but these 2 documents I'd like to get back if at all possible.

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:55 AM

Posted 14 February 2009 - 05:39 PM

Hello, Kenna

Is there anything else I need to do with it or does it run updates automatically?

It doesn't update automaticly... I would just update it once a month or so.

More info on the hosts file:
http://www.mvps.org/winhelp2002/hosts.htm

We deactivated my SpyBot Search & Destroy earlier. Do I need to reactivate it? I also run Microsfot Windows Live OneCare on my system. Are all these programs going to "communicate" ok or will they "argue" persay?

Sure :thumbup2: These programs won't conflict with one another. I'd recommend against TeaTimer as a matter of course because I've yet to find someone who doesn't allow everything... which IMHO kind of defeats the point of TeaTimer.

Here are instructions to turn it back on:
We need to enable Spybot S&D's "TeaTimer"
Now that we're done with the fix, we should reenable TeaTimer.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click on Posted Image
  • Click on Posted Image
  • Check this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

I set up another profile and have been using that one and it seems fine. I had restored lost files using windows live onecare but there are 2 excel files that I had password protected that I am unable to open as they were encrypted. I think I can remember the password but when I restored them using windows one care, it will not let me reopen them. It gives me this message that they're encrypted. I've tried changing the properties on them but it won't let me do anything with them. Do you have any suggestions for that or is there another place on this site I could check with someone? I can deal with losing my profile but these 2 documents I'd like to get back if at all possible.

I've honestly no idea. If anyone would know, those in the Business Applications forum may be able to read them. Not sure:
http://www.bleepingcomputer.com/forums/f/16/business-applications/

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:55 AM

Posted 16 February 2009 - 05:34 PM

Hello, Kenna
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users