Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Google searches


  • This topic is locked This topic is locked
40 replies to this topic

#1 maybeitssteve

maybeitssteve

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 01 July 2009 - 10:50 AM

Hi, I think I have some sort of malware that is hijacking my google searches in Internet Explorer 6 and Chrome. I have a relatively new netbook computer running Windows XP. I unfortunately didn't renew the security software right away when the one-month trial period expired. Then I upgraded to Internet Explorer 7 and almost immediately the problem started. When I do a google search and click on one of the links, my browser takes me to a different site. The sites are often different search engines or things related to my search, but not the actual site I chose. Whatever it is also seems to be blocking my attempts to install security software (so far I've tried installing ESET Nod32, which is what originally came with the computer, and F-secure Internet security; neither would install). I have also since taken Internet Explorer 7 off my computer. I'm just running IE 6 right now. Here is the DDS log. Let me know if you can help me!

Thanks!
Steve


DDS (Ver_09-06-26.01) - NTFSx86
Run by Me at 11:34:57.70 on Wed 07/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.193 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\mshta.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL
DPF: {0cca191d-13a6-4e29-b746-314dee697d83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232037537234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232037519890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-6-30 79904]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2008-6-27 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-6-27 36864]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-6-27 625024]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys --> c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\me\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-6-30 70144]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure internet security\orsp client\fsorsp.exe [2009-6-30 55904]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-5-21 25088]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys --> c:\program files\f-secure internet security\anti-virus\win2k\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys --> c:\program files\f-secure internet security\anti-virus\win2k\FSrec.sys [?]

=============== Created Last 30 ================

2009-06-30 16:31 <DIR> --d----- c:\docume~1\me\applic~1\Windows Search
2009-06-30 11:37 79,904 a------- c:\windows\system32\drivers\fsdfw.sys
2009-06-30 11:35 <DIR> --d----- c:\program files\F-Secure Internet Security
2009-06-30 11:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-06-30 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-06-17 23:46 <DIR> a-dshr-- C:\cmdcons
2009-06-17 23:44 161,792 a------- c:\windows\SWREG.exe
2009-06-17 23:44 155,136 a------- c:\windows\PEV.exe
2009-06-17 23:44 98,816 a------- c:\windows\sed.exe
2009-06-16 09:47 1 ----h--- c:\windows\bf23567.dat
2009-06-06 12:52 <DIR> --dsh--- c:\documents and settings\me\IECompatCache
2009-06-05 12:43 <DIR> --dsh--- c:\documents and settings\me\PrivacIE
2009-06-05 12:09 <DIR> --dsh--- c:\documents and settings\me\IETldCache
2009-06-05 11:55 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-05 11:55 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-06-02 22:28 32 a--s---- c:\windows\system32\2295168498.dat

==================== Find3M ====================

2009-06-21 13:39 2,988 a------- c:\docume~1\me\applic~1\wklnhst.dat
2009-05-18 00:20 410,984 a------- c:\windows\system32\deploytk.dll
2008-05-07 19:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 11:38:13.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:31 AM

Posted 04 July 2009 - 03:57 PM

Hi Steve,

I have also since taken Internet Explorer 7 off my computer. I'm just running IE 6 right now

No. IE6 is full of holes that attract malware. That is probably the reason you are infected now.

Download IE8 http://www.microsoft.com/windows/internet-...er/default.aspx and install it.

**************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 13
    Java™ 6 Update 3
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.


    **************

    Whatever it is also seems to be blocking my attempts to install security software (so far I've tried installing ESET Nod32, which is what originally came with the computer, and F-secure Internet security; neither would install

    Did you ever get F-secure Internet security to install?

    If not, then install Avira Antivirus: http://www.free-av.com/
    This is a free Antivirus :!:

    Perform a full scan with Avira and let it delete everything it is finding.
    Then reboot.
    After reboot, open your Avira and select "reports".
    There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

    **************
Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


**************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 04 July 2009 - 04:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 06 July 2009 - 03:05 PM

Okay, I followed your directions. I updated to IE 8 and updated Java. Then I downloaded Avira. However, it had the same problem as other antivirus programs I have tried to install. It seemed to install somewhat, but then wouldn't run. So I went on a ran the security check and then the malwarebytes. I have posted all the logs below.

After I finished with malwarebytes, Avira suddenly popped up and started working. I did that scan and the log is below. Unfortunately, now the f-secure free trial I downloaded previous has started to pop up. Unfortunately, the uninstall doesn't seem to work. It doesn't show up in "remove programs" in my control panel, and when I try to select uninstall from the program itself, it just runs and runs and doesn't seem to do anything. Any idea how to get it off my computer?

Like I said, here are each of the logs in the order in which I did them. The final log is the D.D.S. log. I wasn't sure if that's what you meant by HijackThis log or not.

Thanks so much!

cheers,
Steve


Security Check Log

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
ESETNOD32registerprogram
F-SecureInternetSecurity
AviraAntiVirPremium
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Request Timed Out (Check Internet connection?)

Scan took 17 seconds.
`````````End of Log```````````





MBAM Log

Malwarebytes' Anti-Malware 1.38
Database version: 2380
Windows 5.1.2600 Service Pack 3

7/6/2009 12:36:52 PM
mbam-log-2009-07-06 (12-36-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 134980
Time elapsed: 20 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 90
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASecurityCENTER.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdAgent.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Me\local settings\temporary internet files\Content.IE5\YV2BGF21\load[1].php (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\Me\start menu\Programs\Startup\rncsys32.exe.vir (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\program files\podmena\podmena.dll.vir (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\program files\podmena\podmena.sys.vir (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\9129837.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\freddy46.exe.vir (Worm.Koobface) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\ld09.exe.vir (Worm.Koobface) -> No action taken.
c:\system volume information\_restore{47ce108e-5d7d-4625-9d5a-698840496df7}\RP73\A0017284.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{47ce108e-5d7d-4625-9d5a-698840496df7}\RP73\A0017285.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{47ce108e-5d7d-4625-9d5a-698840496df7}\RP73\A0017286.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{47ce108e-5d7d-4625-9d5a-698840496df7}\RP73\A0017288.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{47ce108e-5d7d-4625-9d5a-698840496df7}\RP73\A0017289.exe (Worm.Koobface) -> No action taken.
c:\system volume information\_restore{47ce108e-5d7d-4625-9d5a-698840496df7}\RP73\A0017290.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> No action taken.




Avira Log



Avira AntiVir Premium
Report file date: Monday, July 06, 2009 12:44

Scanning for 1464795 virus strains and unwanted programs.

Licensee : Stephen Snyder
Serial number : 2202539573-PEPWE-0001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STEVE

Version information:
BUILD.DAT : 9.0.0.442 21381 Bytes 6/9/2009 16:45:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 16:43:25
ANTIVIR2.VDF : 7.1.4.173 306688 Bytes 7/2/2009 16:43:28
ANTIVIR3.VDF : 7.1.4.190 280576 Bytes 7/6/2009 16:43:30
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/6/2009 16:43:45
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/6/2009 16:43:43
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/6/2009 16:43:41
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/6/2009 16:43:40
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/6/2009 16:43:33
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/6/2009 16:43:32
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.28 2623745 Bytes 5/19/2009 19:28:53
RCTEXT.DLL : 9.0.37.0 90369 Bytes 4/17/2009 14:47:26

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, July 06, 2009 12:44

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETfrftjgxw\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETfrftjgxw\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETfrftjgxw\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETfrftjgxw\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETfrftjgxw\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETfrftjgxw\imagepath
[INFO] The registry entry is invisible.
'7507' objects were checked, '6' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wmiadap.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'uninstaller.exe' - '1' Module(s) have been scanned
Scan process 'fsus.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'fsaua.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'BTStackServer.exe' - '1' Module(s) have been scanned
Scan process 'postinstall.exe' - '1' Module(s) have been scanned
Scan process 'WindowsSearch.exe' - '1' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'fsguidll.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'FSM32.EXE' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'igfxext.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '1' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '1' Module(s) have been scanned
Scan process 'AsTray.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'FAMEH32.EXE' - '1' Module(s) have been scanned
Scan process 'FCH32.EXE' - '1' Module(s) have been scanned
Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'FSMB32.EXE' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'FSMA32.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
56 processes with 56 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '75' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Me\Local Settings\temp\nps2F.tmp
[DETECTION] Contains recognition pattern of the HTML/Malicious.PDF.Gen HTML script virus
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG
[WARNING] An exception has been identified!
[WARNING] In the module 'aecore.dll' an exception occured.
Calling the function AVEPROC_TestFile in file: \\?\C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG
Error description:ACCESS_VIOLATION
EAX = 00000000 EBX = 00000000
ECX = 00000000 EDX = 0932D9FF
ESI = 0A57EAD8 EDI = 0a8312e0
EIP = 09AA7F28 EBP = 00000000
ESP = 0A57EA90 Flg = 00010246
CS = 00000023 SS = 0000001B
Begin scan in 'D:\'

Beginning disinfection:
C:\Documents and Settings\Me\Local Settings\temp\nps2F.tmp
[DETECTION] Contains recognition pattern of the HTML/Malicious.PDF.Gen HTML script virus
[NOTE] The file was moved to '4ac52f1a.qua'!


End of the scan: Monday, July 06, 2009 13:04
Used time: 19:18 Minute(s)

The scan has been done completely.

3474 Scanned directories
211963 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
211961 Files not concerned
1295 Archives were scanned
2 Warnings
2 Notes
7507 Objects were scanned with rootkit scan
6 Hidden objects were found




DDS Log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Me at 15:52:10.68 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.442 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {0cca191d-13a6-4e29-b746-314dee697d83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232037537234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232037519890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-6 11608]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-7-6 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-6 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-6 185089]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-7-6 434945]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-6 55640]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2008-6-27 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-6-27 36864]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-6-27 625024]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys --> c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\me\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-6-30 70144]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-5-21 25088]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys --> c:\program files\f-secure internet security\anti-virus\win2k\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys --> c:\program files\f-secure internet security\anti-virus\win2k\FSrec.sys [?]

=============== Created Last 30 ================

2009-07-06 14:36 <DIR> --d----- c:\docume~1\me\applic~1\F-Secure
2009-07-06 11:43 <DIR> --d----- c:\docume~1\me\applic~1\Malwarebytes
2009-07-06 11:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 11:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 11:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-06 11:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 11:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 11:29 <DIR> --d----- c:\program files\Avira
2009-07-06 11:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-06 11:10 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-06 10:46 <DIR> -cd-h--- c:\windows\ie8
2009-06-30 16:31 <DIR> --d----- c:\docume~1\me\applic~1\Windows Search
2009-06-30 11:35 <DIR> --d----- c:\program files\F-Secure Internet Security
2009-06-30 11:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-06-30 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-06-17 23:46 <DIR> a-dshr-- C:\cmdcons
2009-06-17 23:44 161,792 a------- c:\windows\SWREG.exe
2009-06-17 23:44 155,136 a------- c:\windows\PEV.exe
2009-06-17 23:44 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-07-06 11:10 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-21 13:39 2,988 a------- c:\docume~1\me\applic~1\wklnhst.dat
2008-05-07 19:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 15:55:06.45 ===============

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:31 AM

Posted 06 July 2009 - 03:29 PM

Hi Steve,


Unfortunately, now the f-secure free trial I downloaded previous has started to pop up. Unfortunately, the uninstall doesn't seem to work. It doesn't show up in "remove programs" in my control panel, and when I try to select uninstall from the program itself, it just runs and runs and doesn't seem to do anything. Any idea how to get it off my computer


The malware is preventing it from uninstalling. Lets wait until we have your computer clean and then it should uninstall.


Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Security.Hijack) -> No action taken.



Your MBAM log shows "No action taken".
This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile.
Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal.
Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Edited by SifuMike, 06 July 2009 - 03:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 06 July 2009 - 10:00 PM

Oh, that's weird. I thought I hit "remove selected." Anyway, I ran the quick scan, following the directions on that thread. It showed no malware detected. Here is the log. Should I run the full scan? Let me know what you think.

Also, MBAM is keeping all these infected files in quarantine. Should I have it delete those? Thanks again!


Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 5.1.2600 Service Pack 3

7/6/2009 10:55:41 PM
mbam-log-2009-07-06 (22-55-41).txt

Scan type: Quick Scan
Objects scanned: 95398
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:31 AM

Posted 06 July 2009 - 10:14 PM

Did you run Combofix on your own (without supervision)? :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 06 July 2009 - 10:32 PM

Hmmmm, yes. I did it before I posted on here. I guess I read about it on one of the forums. Is that part of the problem? I think I did it before I tried installing f-secure.

Let me know if I'm totally screwed!

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:31 AM

Posted 07 July 2009 - 09:55 AM

Hi Steve,

Combofix is NOT a toy!.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.


Let see if you have done any damage. :thumbup2:

Post the ComboFix log. It will be at C:\ComboFix.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 07 July 2009 - 10:30 AM

Here you go. Thanks.


ComboFix 09-06-17.02 - Me 06/17/2009 23:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.627 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\podmena
c:\windows\system32\drivers\240f56e4.sys
c:\docume~1\Me\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\Me\Application Data\wiaserva.log
c:\documents and settings\Me\Start Menu\Programs\Startup\rncsys32.exe
c:\program files\podmena\podmena.dll
c:\program files\podmena\podmena.sys
c:\windows\9129837.exe
c:\windows\freddy46.exe
c:\windows\ld09.exe
c:\windows\zaponce52597.dat
c:\windows\zaponce52689.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_podmena
-------\Legacy_podmenadrv
-------\Service_240f56e4
-------\Service_podmena
-------\Service_podmenadrv


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2010-07-02 20:30 . 2008-06-13 11:05 272128 -c--a-w- c:\windows\system32\dllcache\bthport.sys
2010-07-02 20:30 . 2008-06-13 11:05 272128 ----a-w- c:\windows\system32\drivers\bthport.sys
2010-07-02 20:29 . 2009-04-16 14:34 -------- d--h--w- c:\windows\$hf_mig$
2010-07-02 20:28 . 2010-07-02 20:29 -------- d-----w- c:\windows\I386
2009-06-17 13:09 . 2009-06-17 13:09 152576 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-16 13:47 . 2009-06-16 13:47 1 ---h--w- c:\windows\bf23567.dat
2009-06-13 13:02 . 2009-06-17 16:08 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Google
2009-06-06 16:52 . 2009-06-06 16:52 -------- d-sh--w- c:\documents and settings\Me\IECompatCache
2009-06-06 14:16 . 2009-06-06 14:16 0 ----a-w- c:\windows\nsreg.dat
2009-06-06 14:16 . 2009-06-06 14:16 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Mozilla
2009-06-05 16:43 . 2009-06-05 16:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-05 16:43 . 2009-06-05 16:43 -------- d-sh--w- c:\documents and settings\Me\PrivacIE
2009-06-05 16:10 . 2009-06-05 16:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-05 16:09 . 2009-06-05 16:09 -------- d-sh--w- c:\documents and settings\Me\IETldCache
2009-06-05 15:55 . 2009-02-20 08:10 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-05 15:55 . 2009-02-20 08:10 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-03 02:28 . 2009-06-03 02:28 32 --s-a-w- c:\windows\system32\2295168498.dat
2009-06-03 02:27 . 2009-06-03 02:27 51712 --sh--r- c:\windows\system32\$winnt$j.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 14:17 . 2008-12-29 17:24 2988 ----a-w- c:\documents and settings\Me\Application Data\wklnhst.dat
2009-06-06 14:17 . 2009-01-27 04:40 -------- d-----w- c:\documents and settings\Me\Application Data\Move Networks
2009-06-04 19:33 . 2009-03-22 21:18 81920 ----a-w- c:\documents and settings\Me\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connecthook.dll
2009-06-04 19:33 . 2009-03-22 21:18 190976 ----a-w- c:\documents and settings\Me\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectsprd.dll
2009-05-18 04:20 . 2009-05-18 04:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 04:20 . 2008-06-27 06:24 -------- d-----w- c:\program files\Java
2009-05-18 04:19 . 2009-05-18 04:19 152576 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-18 03:59 . 2008-12-25 18:22 -------- d-----w- c:\documents and settings\Me\Application Data\StarOffice8
2009-05-14 14:24 . 2009-01-03 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-12 10:11 . 2009-05-12 10:11 127877 ----a-w- c:\documents and settings\Me\Application Data\Move Networks\uninstall.exe
2009-05-12 10:11 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Me\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-12 10:11 . 2009-05-12 10:10 1685856 ----a-w- c:\documents and settings\Me\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-09 17:13 . 2009-05-09 17:13 1047072 ----a-w- c:\documents and settings\Me\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Me\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-30 15:01 . 2009-04-30 14:55 -------- d-----w- c:\program files\Smart PDF Converter Pro
2009-04-30 14:56 . 2009-04-30 14:56 -------- d-----w- c:\documents and settings\Me\Application Data\Smart PDF Converter Pro
2009-03-22 21:18 . 2009-03-22 21:18 3672032 ----a-w- c:\documents and settings\Me\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
2008-05-07 23:34 . 2008-06-27 06:48 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-16 16806400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-7-22 303104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [6/27/2008 1:36 AM 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [6/27/2008 1:36 AM 36864]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [6/27/2008 1:36 AM 625024]
S2 EhttpSrvCiSvc;Eset HTTP Server EhttpSrvCiSvc;c:\windows\system32\$winnt$j.exe srv --> c:\windows\system32\$winnt$j.exe srv [?]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [5/21/2008 4:20 PM 25088]
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2009-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2134336118-4122123310-4156243189-1006.job
- c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-17 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 23:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\btmmhook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-18 23:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 03:53

Pre-Run: 75,149,381,632 bytes free
Post-Run: 75,619,254,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

178 --- E O F --- 2009-06-05 15:57

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:31 AM

Posted 07 July 2009 - 03:04 PM

Hi maybeitssteve,


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\bf23567.dat
      c:\windows\system32\2295168498.dat
      c:\windows\system32\$winnt$j.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 08 July 2009 - 10:52 AM

Okay, first I selected to show hidden files and folders.

The second part, though, didn't work. I can't paste the addresses of those files into the box on either of those sites. Nor can I type them in. It just doesn't work. It seems like I can only try to locate the files by clicking on "browse" and manually looking through my computer. However, when I tried this I could only find the second one on my computer (c:\windows\system32\2295168498.dat). Here are the results for that.

VirSCAN.org Scanned Report :
Scanned time : 2009/06/09 15:40:17 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : 3568431281.dat
File Size : 32 byte
File Type : ASCII text, with no line terminators
MD5 : 5e7e954d7eb504af49747a85336da63a
SHA1 : c1a385f81c2f3789d7b113599901c4b562491023
Online report : http://virscan.org/report/c86d57411033261f...4f24e8bd77.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090607195527 2009-06-07 1.90 -
AhnLab V3 2009.06.10.00 2009.06.10 2009-06-10 0.75 -
AntiVir 8.2.0.183 7.1.4.77 2009-06-09 0.12 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.02 -
Arcavir 2009 200906091444 2009-06-09 0.02 -
Authentium 5.1.1 200906091221 2009-06-09 1.12 -
AVAST! 4.7.4 090608-0 2009-06-08 0.00 -
AVG 8.5.286 270.12.59/2165 2009-06-09 3.32 -
BitDefender 7.81008.3347268 7.25893 2009-06-10 3.00 -
CA (VET) 9.0.0.143 31.6.6548 2009-06-09 7.32 -
ClamAV 0.95.1 9442 2009-06-09 0.00 -
Comodo 3.9 1297 2009-06-09 0.77 -
CP Secure 1.1.0.715 2009.06.09 2009-06-09 10.02 -
Dr.Web 4.44.0.9170 2009.06.09 2009-06-09 4.70 -
F-Prot 4.4.4.56 20090608 2009-06-08 1.11 -
F-Secure 5.51.6100 2009.06.09.10 2009-06-09 6.04 -
Fortinet 2.81-3.117 10.481 2009-06-09 0.14 -
GData 19.5726/19.358 20090609 2009-06-09 4.16 -
ViRobot 20090609 2009.06.09 2009-06-09 0.41 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.08 -
JiangMin 11.0.706 2009.06.09 2009-06-09 1.95 -
Kaspersky 5.5.10 2009.06.09 2009-06-09 0.03 -
KingSoft 2009.2.5.15 2009.6.9.21 2009-06-09 0.53 -
McAfee 5.3.00 5641 2009-06-09 3.07 -
Microsoft 1.4701 2009.06.09 2009-06-09 4.23 -
mks_vir 2.01 2009.06.07 2009-06-07 3.11 -
Norman 6.01.09 6.01.00 2009-06-09 4.00 -
Panda 9.05.01 2009.06.09 2009-06-09 1.74 -
Trend Micro 8.700-1004 6.182.06 2009-06-09 0.02 -
Quick Heal 10.00 2009.06.09 2009-06-09 1.15 -
Rising 20.0 21.33.14.00 2009-06-09 0.24 -
Sophos 2.87.1 4.42 2009-06-10 2.37 -
Sunbelt 5176 5176 2009-06-08 0.78 -
Symantec 1.3.0.24 20090608.007 2009-06-08 0.28 -
nProtect 20090609.01 4217261 2009-06-09 5.29 -
The Hacker 6.3.4.3 v00342 2009-06-08 0.58 -
VBA32 3.12.10.6 20090608.1238 2009-06-08 1.94 -
VirusBuster 4.5.11.10 10.107.7/1592556 2009-06-09 1.92 -

I tried searching for the other two files on my computer using the windows search tool and couldn't find them, even though I looked in hidden files and folders (which I guess are no longer hidden).

Let me know what you think. Thanks!

Steve

#12 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 08 July 2009 - 11:00 AM

Oh no, it looks like the online protection on Avira just deactivated! I don't know how to turn it back on. Hmmm.

#13 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 08 July 2009 - 11:01 AM

Oh, okay, I turned it back on. But I don't know why it turned off.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:31 AM

Posted 08 July 2009 - 11:47 AM

Hi Steve,

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :file
    c:\windows\bf23567.dat
    c:\windows\system32\2295168498.dat
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop. Post the content of the log here in your next reply
**************

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.

Edited by SifuMike, 08 July 2009 - 11:53 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 maybeitssteve

maybeitssteve
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 08 July 2009 - 01:13 PM

Hey, I ran the SystemLock scan. Here is what it said.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 14:01 on 08/07/2009 by Me (Administrator - Elevation successful)

========== file ==========

c:\windows\bf23567.dat - Unable to find/read file.

c:\windows\system32\2295168498.dat - File found and opened.
MD5: 5E7E954D7EB504AF49747A85336DA63A
Created at 02:28 on 03/06/2009
Modified at 02:28 on 03/06/2009
Size: 32 bytes
Attributes: --a-s-
No version information available.

-=End Of File=-


When I tried to run the Kaspersky scan, my computer rebooted partway through the scan downloading files. Windows showed me this error when it rebooted. I'm wondering if it was because Avira was still running when I tried the scan. I disabled the antivirus guard and the online protection, but maybe that wasn't enough?



Help and Support | Security | Microsoft Update



Blue screen error caused by a device or driver

You received this message because a hardware device, its driver, or related software has caused a blue screen error. This type of error means the computer has shut down abruptly to protect itself from potential data corruption or loss. In this case, we were unable to detect the specific device or driver that caused the problem.

Troubleshooting

--------------------------------------------------------------------------------


The following troubleshooting steps might prevent the blue screen error from recurring. Try them in the order given. If one step does not solve the problem, then move on to the next one.

Step 1: Download and install the latest updates and device drivers for your computer

Use Windows Update to check for and install updates:
Go online to the Windows Update website:


Windows Update


Note
If Microsoft Update is installed, you'll be taken to the Microsoft Update website.

Click Custom to check for available updates.

In the left pane, under Select by Type, click each of the following links to view all available updates:


High Priority

Software, Optional

Hardware, Optional


Select the updates you want, click Review and install updates, and then click Install Updates.

If you recently added a new hardware device to your computer, go online to the manufacturer's website to see if a driver update is available.

If you recently added a new program to your computer, go online to the manufacturer's website to see if an update is available.

Step 2: Remove any new hardware or software to isolate the cause of the blue screen

If you received the blue screen error after adding a new hardware device or program, and downloading updates didn't solve the problem, try removing the device or program and restarting Windows. If removing the new device or program allows Windows to start without the error, contact the device or program's manufacturer to get product updates or to learn about any known issues with the device or program.

Step 3: Scan your computer for viruses

Many blue screen errors can be caused by computer viruses or other types of malicious software.

If you have an antivirus program installed on your computer, make sure it is up to date with the latest antivirus definitions and perform a complete scan of your system. Check your antivirus product's website for information on getting the latest updates.

If you do not have antivirus software installed on your computer, we recommend using a web-based scanner to check your computer for malware. Many of the top antivirus software providers offer this service free of charge on their websites.

To see a list of Microsoft and third-party providers of antispyware, anti-malware, and antivirus software, go online to the following website:

Security software: Downloads and trials

To see a list of antivirus software vendors, go online to the following Knowledge Base article:

List of antivirus software vendors

Tip
Consider scanning your computer using more than one web-based antivirus scanner, even if you have an antivirus program installed on your computer. This will help make sure that you are using the most up-to-date antivirus definitions and allows you to benefit from the different strengths of each antivirus software manufacturer. If you do run multiple antivirus products, make sure you run only one product at a time. Running multiple antivirus products simultaneously can produce incorrect results.

Step 4: Check your hard disk for errors

You can help solve some computer problems and improve the performance of your computer by making sure that your hard disk has no errors.

Click Start, and then click My Computer.

Right-click the hard disk drive that you want to check, and then click Properties.

Click the Tools tab, and then, under Error-checking, click Check Now.

To automatically repair problems with files and folders that the scan detects, select Automatically fix file system errors. Otherwise, the disk check will report problems but not fix them.

To perform a thorough disk check, select Scan for and attempt recovery of bad sectors. This scan attempts to find and repair physical errors on the hard disk itself, and it can take much longer to complete.

To check for both file errors and physical errors, select both Automatically fix file system errors and Scan for and attempt recovery of bad sectors.

Click Start.

Depending upon the size of your hard disk, this might take several minutes or longer. For best results, don't use your computer for any other tasks while it's checking for errors.

Note
If you select Automatically fix file system errors for a disk that is in use (for example, the partition that contains Windows), you'll be prompted to reschedule the disk check for the next time you restart your computer.

For more information, go online to read the following article:

How to perform disk error checking in Windows XP

Step 5: Restore your computer to an earlier state

If the blue screen error occurred after installing a system or program update, consider using the System Restore feature to remove the changes. System Restore uses "restore points" that have been saved on your computer to return your system to a point in time before the problem began. This won't fix the problem, but it can make your computer work again.

Do one of the following:

If Windows doesn't start:

Restart the computer and, when the screen becomes blank during startup, repeatedly press F8 until the Windows Advanced Options Menu displays.

Use your arrow keys to select Safe Mode with Command Prompt, and then press ENTER.

For more information about safe mode start up options, go online to read an article in the Microsoft Knowledge Base:

Click to read KB315222

If you are prompted to select a version of Windows, select the correct version, and then press ENTER.

Log on to the computer using the Administrator account or an account that has administrator credentials.

Type the following command at a command prompt, and then press ENTER:

[systemroot]\system32\restore\rstrui.exe

(Where [systemroot] is the drive and directory where your Windows system files are located -- for example, "C:\Windows")

Follow the instructions that appear on the screen to restore the computer to an earlier state.

Or, if Windows starts:

Log on to Windows using an administrator account.

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.

On the Welcome to System Restore page, select Restore my computer to an earlier time, and then click Next.

On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. You might receive a message that lists configuration changes that System Restore will make. Review this list, and then click OK.

On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows configuration, and then restarts the computer.

Log on to the computer as an administrator.

When the System Restore Restoration Complete page appears, click OK.



Advanced troubleshooting

The following steps can help determine what is causing a blue screen error and provide additional options for solving the problem. Try the above troubleshooting steps first before trying these advanced troubleshooting steps.

This section is intended for advanced computer users, such as software developers and network administrators. If you are not comfortable with advanced troubleshooting procedures, we recommend that you perform these steps with someone who is.

Step 1: Start Windows in safe mode

Restart the computer and, when the screen becomes blank during startup, repeatedly press F8 until the Windows Advanced Options Menu displays.

Use your arrow keys to select Safe Mode, and then press ENTER.

For more information about safe mode start up options, go online to read an article in the Microsoft Knowledge Base:

Click to read KB315222

If you are prompted to select a version of Windows, select the correct version, and then press ENTER.

Step 2: Collect more information about your computer

To continue troubleshooting this problem, you will need to collect more information about your computer, and then use it to find more information online.

Use Event Viewer to find specific information about this problem

Event Viewer is an advanced tool that displays detailed information about significant events on your computer. It can be helpful when troubleshooting problems and errors with Windows and other programs.
Click Start, click Run, type EVENTVWR, and then click OK.

Click Application.

Click View, and then click Filter.

In the Event Source drop-down menu, click any one of the following: Save Dump, System Error, or Windows Error Reporting.

In the Event ID field, type 1001, and then click OK.

Review each event listed and write down the bugcheck code (for example, 0x000000D1 or 0x0000008E).

Go to the next step to search the Internet for a solution.

Perform an Internet search

Use the information you collected in the previous step to search the Internet for more help. If you find troubleshooting steps, make sure that they apply to your specific computer before you follow them.

Go online to search the Internet for specific bugcheck codes you found using Event Viewer. For example, search for "0x000000D1" or "0x0000008E".
Go online to search the Internet for the driver name. For example, search for "portcls.sys".
Go online to search the Internet using different combinations of text, such as "Blue Screen" or "Stop Error" along with the driver or device name. For example, you could search for "portcls.sys bluescreen".
Step 3: Roll back or disable the problem driver

Start Device Manager. To do this, click Start, click Run, type devmgmt.msc, and then click OK.

Based on the driver and device information you obtained in Step 2 above, double-click the device that you have determined might be causing the problem.

If you think the problem was caused by a recent update of the driver, click the Driver tab, and then click the Roll Back Driver button. If the problem did not coincide with a recent updating of the driver, then click the Disable button instead.

Step 4: Determine whether a third-party program is causing the problem

Click Start, click Run, type msconfig, and then click OK.

Click the General tab, click Selective Startup, clear the Load startup items check box, and then select the Load System Services check box.

Click OK, and then restart the computer.

If Windows starts, go to Step 5. If Windows does not start, go to Step 7.

Step 5: Identify the conflicting program

Because of the number of programs that might be listed, we recommend that you use the following process of elimination:

Click Start, click Run, type msconfig, and then click OK.

Click the Startup tab.

Select approximately half of the listed items, and then click OK.

Restart the computer.

If Windows does not start, restart Windows in safe mode.

Repeat this process until you have identified the program that is causing the problem.

Once you determine that a specific program is causing the problem, we recommend that you remove it if you are not using it.

How do I uninstall a program?

Click Start, click Control Panel, and then click Add or Remove Programs.

Click Change or Remove Programs, click the program you want to remove, and then click Change/Remove or Remove.

Note
If the program that you want to uninstall isn't listed, it might not have been written for this version of Windows. To uninstall the program, check the information that came with the program.

If you do not want to remove the program, contact the software manufacturer for a solution to the problem.

Step 6: Disable all third-party services

Disable all third-party services to find out whether the problem is being caused by one of them.

Warning
The following procedure describes how to turn off third-party services. Be careful not to disable Microsoft services, because doing so will turn off System Restore and cause you to lose all system restore points.

Click Start, click Run, type msconfig, and then click OK.

Click the Services tab, and then click the Hide all Microsoft services check box to filter the list to third-party services only.

Click Disable all to disable the listed third-party services.

Restart the computer and check to see if the problem has gone away. If it has, you know that one of the disabled third-party services is causing the problem. Go to step 7 to identify which service is causing the problem.

Step 7: Locate and disable the third-party service causing the problem

Warning
The following procedure describes how to turn off third-party services. Be careful not to disable Microsoft services, because doing so will turn off System Restore and cause you to lose all system restore points.

Because of the number of services that might be listed, we recommend that you use the following process of elimination:

Click Start, click Run, type msconfig, and then click OK.

Click the Services tab, and then click the Hide all Microsoft services check box to filter the list to third-party services only.

Disable approximately half the services on the list, and then click OK.

Restart the computer in normal mode.

If Windows starts, then the problem service is among those you disabled. Repeat the process of enabling services in msconfig and restarting Windows until you determine which one causes Windows to not start in normal mode (this is the service that is causing the problem).

If Windows does not start, then the problem service is among those you left enabled. Repeat the process of disabling services and restarting Windows until you determine which one causes Windows to start in normal mode (this is the service that is causing the problem).

If you have determined which service is causing the problem, we recommend that you disable it and contact the service's manufacturer for information on how to solve the problem. Also, make sure you re-enable any of the other services you disabled for diagnostic purposes.


--------------------------------------------------------------------------------




2006 Microsoft Corporation. All rights reserved. Terms of use | Accessibility | Privacy Statement | Trademarks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users