Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unable to remove Windows Police Patrol

  • This topic is locked This topic is locked
6 replies to this topic

#1 cdrhra


  • Members
  • 5 posts
  • Local time:04:06 AM

Posted 07 September 2009 - 10:24 AM

Have Windows Police Patrol infection. Recently had Windows Antivirus Pro infection and was able to remove it with that guide. For Windows Police Patrol, I do not find items in Process Tab of Task Manager as described. Also, concerned that I may have other malware issues. Firefox, IE and Opera all shut down immediately or shortly after starting. Google chrome does run. Previous Rootkit.TDSS.AC infection. Bitdefender would block but would keep generating thousands of copies and wasn't ever removed with scanning. Switched to VIPRE antivirus and today getting repeated messages blocking "bad file" UACsobptbqywr.dll. Multiple Quarantined items today: Packed.Win32.TDSS.Y and FraudTool.Win32.Antivirus2010(v). Have Malwarebytes on computer from previous Windows Antivirus Pro removal, but doesn't run if I use the two download tools on the removal instructions (tried because Task Manager not showing processes to kill). Know this post may contain several problems. Will post individually with the log files, if advised.

Pop ups I currently get are "Security Center Alert" for suspicious software "Virus.Win32.Hala.a" followed by the ad pop up to buy the fix. Have also had a pop up saying Google Installer has quit working, identifying a malware problem: "UACD.sys"

Thanks in advance for any help. Here's my DDS.txt log. Other files attached.

DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Drew at 9:59:46.95 on Mon 09/07/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1643 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Sunbelt VIPRE *enabled* (Updated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k NetworkService

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:windowssystem32userinit.exe,c:windowssystem32driverssmss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:program fileshpsmart web printinghpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_01binssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
uRun: [Aim6]
uRun: [Google Update] "c:usersdrewappdatalocalgoogleupdateGoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [WMPNSCFG] c:program fileswindows media playerWMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [hpsysdrv] c:hpsupporthpsysdrv.exe
mRun: [KBD] c:hpkbdKbdStub.EXE
mRun: [OsdMaestro] "c:program fileshewlett-packardon-screen osd indicatorOSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:program fileshewlett-packardhp health checkHPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:windowssystem32jureg.exe"
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [NvSvc] RUNDLL32.EXE c:windowssystem32nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Nikon Transfer Monitor] c:program filescommon filesnikonmonitorNkMonitor.exe
mRun: [SBAMTray] c:program filessunbelt softwarevipreSBAMTray.exe
mRun: [SBRegRebootCleaner] c:program filessunbelt softwarevipreSBRC.exe
mRunOnce: [Launcher] %WINDIR%SMINSTlauncher.exe
dRun: [AntiSpyware Service] c:windowstempecherc.exe
dRun: [Windows System Recover!] c:windowstemplogin.exe
dRun: [risky] c:windowssystem32configsystemprofileappdataroaming84372872az.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupautoru~1.lnk - c:program filespanasonicvideocamsuiteVideoCamSuiteAutoStart.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~3office11EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_01binssv.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}inprocserver32 does not exist!
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:program fileshpsmart web printinghpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:program fileshpsmart web printinghpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office11REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:usersdrewappdataroamingmozillafirefoxprofilesmzjf8e3v.default
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|http://online.wsj.com/home-page?refresh=on|http://www.weather.com/outlook/health/fitness/weather/hrbyhr/?parkId=2291|http://radar.weather.gov/radar.php?rid=ffc&product=N0R&overlay=11101111&loop=no|http://www.georgia-navigator.com/maps/atlanta|http://www.cbssports.com/|http://www2.kusports.com/news/mens_basketball/|http://www.facebook.com/
FF - component: c:program filesmcafeesiteadvisorcomponentsMcFFPlg.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpCouponPrinter.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpicaN.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpViewpoint.dll
FF - plugin: c:program filesviewpointviewpoint media playernpViewpoint.dll
FF - plugin: c:usersdrewappdatalocalgoogleupdate1.2.183.7npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

============= SERVICES / DRIVERS ===============

R1 SBRE;SBRE;c:windowssystem32driversSBREDrv.sys [2009-4-30 93360]
S1 sbtis;sbtis;c:windowssystem32driverssbtis.sys [2009-8-29 202928]
S2 0131511237341040mcinstcleanup;McAfee Application Installer Cleanup (0131511237341040);c:windowstemp013151~1.exe c:progra~1common~1mcafeeinstal~1cleanup.ini -cleanup -nolog -service --> c:windowstemp013151~1.exe c:progra~1common~1mcafeeinstal~1cleanup.ini -cleanup -nolog -service [?]
S2 DQLWinService;DQLWinService;c:program filescommon filesintelinteldhnmsadppluginsDQLWinService.exe [2006-9-3 208896]
S2 IntelDHSvcConf;Intel DH Service;c:program filesintelinteldhintel media servertoolsIntelDHSvcConf.exe [2006-5-10 29696]
S2 IntuitUpdateService;Intuit Update Service;c:program filescommon filesintuitupdate serviceIntuitUpdateService.exe [2008-10-10 13088]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:program filesmcafeesiteadvisorMcSACore.exe [2009-1-3 210216]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:program filessunbelt softwarevipreSBAMSvc.exe [2009-6-10 980264]
S2 sbapifs;sbapifs;c:windowssystem32driverssbapifs.sys [2009-5-13 69936]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:program filesviewpointcommonViewpointService.exe [2008-7-20 24652]
S3 CamdAudio;CamdAudio;c:windowssystem32driversCamdAudio.sys [2008-11-25 23096]
S3 CamdVideo;CamdVideo;c:windowssystem32driversCamdVideo.sys [2008-11-25 3768]
S3 HSXHWBS3;HSXHWBS3;c:windowssystem32driversHSXHWBS3.sys [2007-8-23 206336]
S3 SoundMovieServer;SoundMovieServer;c:windowssystem32snmvtsvc.exe [2008-11-25 200704]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:windowssystem32driverswdcsam.sys [2008-4-16 11520]
S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:windowssystem32driversxcbda.sys [2007-9-7 156928]

=============== Created Last 30 ================

2009-09-07 09:26 <DIR> --d----- c:windowssystem32Events
2009-09-07 08:39 104 a------- c:windowssystem32SBRC.dat
2009-09-07 08:33 <DIR> --d----- c:program filesWindows Police Pro
2009-09-07 08:28 1,010,176 a------- c:windowssystem32wscsvc32.exe
2009-09-03 07:15 43,520 a------- c:windowssystem32driverssmss.exe
2009-09-02 18:46 4,240,384 a------- c:windowssystem32GameUXLegacyGDFs.dll
2009-09-02 18:46 28,672 a------- c:windowssystem32Apphlpdm.dll
2009-08-29 15:46 <DIR> --d----- c:usersdrewappdataroamingSunbelt
2009-08-29 15:46 <DIR> --d----- c:programdataSunbelt
2009-08-29 15:46 <DIR> --d----- c:progra~2Sunbelt
2009-08-29 15:43 202,928 a------- c:windowssystem32driverssbtis.sys
2009-08-29 15:42 <DIR> --d----- c:program filesSunbelt Software
2009-08-27 03:01 2,048 a------- c:windowssystem32tzres.dll
2009-08-27 00:23 499,712 a------- c:windowssystem32kerberos.dll
2009-08-27 00:23 213,504 a------- c:windowssystem32msv1_0.dll
2009-08-27 00:23 1,256,448 a------- c:windowssystem32lsasrv.dll
2009-08-27 00:23 270,848 a------- c:windowssystem32schannel.dll
2009-08-27 00:23 175,104 a------- c:windowssystem32wdigest.dll
2009-08-27 00:23 439,896 a------- c:windowssystem32driversksecdd.sys
2009-08-27 00:23 72,704 a------- c:windowssystem32secur32.dll
2009-08-27 00:23 9,728 -------- c:windowssystem32lsass.exe
2009-08-26 19:09 <DIR> --d----- c:program filesMSECache
2009-08-24 19:11 <DIR> --d----- c:program filesASIO4ALL v2
2009-08-24 19:10 1,294,336 a------- c:windowssystem32vorbis.acm
2009-08-24 19:10 <DIR> --d----- c:program filesOutsim
2009-08-24 19:08 <DIR> --d----- c:program filesImage-Line
2009-08-18 19:26 <DIR> --d----- c:windowssystem32Adobe
2009-08-15 14:09 345 a------- c:windowswininit.ini
2009-08-15 13:34 <DIR> --d----- c:usersdrewappdataroamingMalwarebytes
2009-08-15 13:33 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-08-15 13:33 19,096 a------- c:windowssystem32driversmbam.sys
2009-08-15 13:33 <DIR> --d----- c:programdataMalwarebytes
2009-08-15 13:33 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-08-15 13:33 <DIR> --d----- c:progra~2Malwarebytes
2009-08-15 13:15 <DIR> --d----- C:_OTM
2009-08-13 14:56 150,631,707 a------- c:windowsMEMORY.DMP
2009-08-13 05:30 71,680 a------- c:windowssystem32atl.dll
2009-08-13 05:30 160,256 -------- c:windowssystem32wkssvc.dll
2009-08-13 05:30 2,066,432 a------- c:windowssystem32mstscax.dll
2009-08-13 05:30 91,136 a------- c:windowssystem32avifil32.dll
2009-08-13 05:30 313,344 a------- c:windowssystem32wmpdxm.dll
2009-08-13 05:30 7,680 a------- c:windowssystem32spwmp.dll
2009-08-13 05:30 8,147,456 a------- c:windowssystem32wmploc.DLL
2009-08-13 05:30 4,096 a------- c:windowssystem32msdxm.ocx
2009-08-13 05:30 4,096 a------- c:windowssystem32dxmasf.dll
2009-08-13 05:30 43,520 a------- c:windowssystem32msdxm.tlb
2009-08-13 05:30 18,432 a------- c:windowssystem32amcompat.tlb
2009-08-08 14:06 <DIR> --d----- c:program filesCoupons

==================== Find3M ====================

2009-08-29 15:59 81,984 a------- c:windowssystem32bdod.bin
2009-08-28 08:39 173,056 a------- c:windowsapppatchAcXtrnal.dll
2009-08-28 08:38 2,153,984 a------- c:windowsapppatchAcGenral.dll
2009-08-28 08:38 541,696 a------- c:windowsapppatchAcLayers.dll
2009-08-28 08:38 459,776 a------- c:windowsapppatchAcSpecfc.dll
2009-08-22 16:50 20 ----h--- c:programdataPKP_DLbz.DAT
2009-08-22 16:50 20 ----h--- c:programdataPKP_DLbx.DAT
2009-08-22 16:50 20 ----h--- c:programdataPKP_DLbw.DAT
2009-08-22 16:50 20 ----h--- c:progra~2PKP_DLbz.DAT
2009-08-22 16:50 20 ----h--- c:progra~2PKP_DLbx.DAT
2009-08-22 16:50 20 ----h--- c:progra~2PKP_DLbw.DAT
2009-08-22 16:48 20 ----h--- c:programdataPKP_DLdw.DAT
2009-08-22 16:48 20 ----h--- c:progra~2PKP_DLdw.DAT
2009-07-26 17:59 20 ----h--- c:programdataPKP_DLdu.DAT
2009-07-26 17:59 20 ----h--- c:progra~2PKP_DLdu.DAT
2009-07-21 17:52 915,456 a------- c:windowssystem32wininet.dll
2009-07-21 17:47 109,056 a------- c:windowssystem32iesysprep.dll
2009-07-21 17:47 71,680 a------- c:windowssystem32iesetup.dll
2009-07-21 16:13 133,632 a------- c:windowssystem32ieUnatt.exe
2009-07-10 02:23 143,360 a------- c:windowsinfinfstrng.dat
2009-07-10 02:23 86,016 a------- c:windowsinfinfstor.dat
2009-07-10 02:23 51,200 a------- c:windowsinfinfpub.dat
2009-06-15 11:24 156,672 a------- c:windowssystem32t2embed.dll
2009-06-15 11:20 72,704 a------- c:windowssystem32fontsub.dll
2009-06-15 11:20 10,240 a------- c:windowssystem32dciman32.dll
2009-06-15 08:52 289,792 a------- c:windowssystem32atmfd.dll
2009-06-10 06:00 68,392 a------- c:windowssystem32sbbd.exe
2008-08-01 19:57 56 a---h--- c:programdataezsidmv.dat
2008-08-01 19:57 56 a---h--- c:progra~2ezsidmv.dat
2008-07-28 10:08 174 a--sh--- c:program filesdesktop.ini
2008-07-28 09:58 665,600 a------- c:windowsinfdrvindex.dat
2006-11-02 08:42 287,440 a------- c:windowsinfperflib0409perfi.dat
2006-11-02 08:42 287,440 a------- c:windowsinfperflib0409perfh.dat
2006-11-02 08:42 30,674 a------- c:windowsinfperflib0409perfd.dat
2006-11-02 08:42 30,674 a------- c:windowsinfperflib0409perfc.dat
2006-11-02 05:20 287,440 a------- c:windowsinfperflib0000perfi.dat
2006-11-02 05:20 287,440 a------- c:windowsinfperflib0000perfh.dat
2006-11-02 05:20 30,674 a------- c:windowsinfperflib0000perfd.dat
2006-11-02 05:20 30,674 a------- c:windowsinfperflib0000perfc.dat
2008-03-29 19:19 22 a--sh--- c:windowssminstHPCD.SYS

============= FINISH: 10:01:02.28 ===============

Sorry. I misnamed the Malware. It is Windows Police Pro. Have reposted with that name in the post title, in case it matters.

Attached Files

Edited by The weatherman, 07 September 2009 - 06:35 PM.
Merged posts and i've removed your repost cdrhra there was no need to do so. (:~Tw

BC AdBot (Login to Remove)


#2 DocSatan


    Bleepin' Wanna-Be

  • Members
  • 2,156 posts
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:04:06 AM

Posted 22 September 2009 - 05:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 cdrhra

  • Topic Starter

  • Members
  • 5 posts
  • Local time:04:06 AM

Posted 26 September 2009 - 11:32 AM

Thanks for getting back to me. Sorry I missed the post for a few days, but it had been awhile since I posted and I stopped checking as often. Appreciate all the help and it looks like you guys are swamped. Here is my updated DDS log and am attaching the attach.txt file.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Drew at 12:16:56.11 on Sat 09/26/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1246 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning disabled* (Outdated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Sunbelt VIPRE *disabled* (Outdated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Aim6]
uRun: [Google Update] "c:\users\drew\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
mRun: [SBRegRebootCleaner] c:\program files\sunbelt software\vipre\SBRC.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRun: [AntiSpyware Service] c:\windows\temp\echerc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\drew\appdata\roaming\mozilla\firefox\profiles\mzjf8e3v.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|http://online.wsj.com/home-page?refresh=on|http://www.weather.com/outlook/health/fitness/weather/hrbyhr/?parkId=2291|http://radar.weather.gov/radar.php?rid=ffc&product=N0R&overlay=11101111&loop=no|http://www.georgia-navigator.com/maps/atlanta|http://www.cbssports.com/|http://www2.kusports.com/news/mens_basketball/|http://www.facebook.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\drew\appdata\local\google\update\\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-4-30 93360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-8-29 202928]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-3 92296]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-5-13 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-20 24652]
R3 CamdAudio;CamdAudio;c:\windows\system32\drivers\CamdAudio.sys [2008-11-25 23096]
R3 CamdVideo;CamdVideo;c:\windows\system32\drivers\CamdVideo.sys [2008-11-25 3768]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2007-8-23 206336]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2009-6-10 980264]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-11-25 200704]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-4-16 11520]

=============== Created Last 30 ================

2009-09-11 17:10 276 a------- c:\windows\system32\MRT.INI
2009-09-10 18:54 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-07 09:26 <DIR> --d----- c:\windows\system32\Events
2009-09-07 08:39 104 a------- c:\windows\system32\SBRC.dat
2009-09-07 08:27 217 a------- c:\windows\system32\UACbnyqwveist.dat
2009-09-07 08:27 6,567 a------- c:\windows\system32\uacinit.dll
2009-09-07 08:27 50,176 -------- c:\windows\system32\drivers\UACsbnjtpxkut.sys
2009-09-03 07:15 43,520 a------- c:\windows\system32\drivers\smss.exe
2009-09-02 18:46 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 18:46 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-29 15:46 <DIR> --d----- c:\users\drew\appdata\roaming\Sunbelt
2009-08-29 15:46 <DIR> --d----- c:\programdata\Sunbelt
2009-08-29 15:46 <DIR> --d----- c:\progra~2\Sunbelt
2009-08-29 15:43 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-08-29 15:42 <DIR> --d----- c:\program files\Sunbelt Software

==================== Find3M ====================

2009-08-29 15:59 81,984 a------- c:\windows\system32\bdod.bin
2009-08-28 08:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 08:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 08:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 08:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-22 16:50 20 ----h--- c:\programdata\PKP_DLbz.DAT
2009-08-22 16:50 20 ----h--- c:\programdata\PKP_DLbx.DAT
2009-08-22 16:50 20 ----h--- c:\programdata\PKP_DLbw.DAT
2009-08-22 16:50 20 ----h--- c:\progra~2\PKP_DLbz.DAT
2009-08-22 16:50 20 ----h--- c:\progra~2\PKP_DLbx.DAT
2009-08-22 16:50 20 ----h--- c:\progra~2\PKP_DLbw.DAT
2009-08-22 16:48 20 ----h--- c:\programdata\PKP_DLdw.DAT
2009-08-22 16:48 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2009-08-14 13:07 897,608 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 12:29 104,960 a------- c:\windows\system32\netiohlp.dll
2009-08-14 12:29 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 10:16 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 10:16 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 10:16 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 10:16 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 10:16 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 10:16 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 10:16 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 17:59 20 ----h--- c:\programdata\PKP_DLdu.DAT
2009-07-26 17:59 20 ----h--- c:\progra~2\PKP_DLdu.DAT
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 10:35 71,680 a------- c:\windows\system32\atl.dll
2009-07-14 09:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-14 08:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-14 08:58 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-14 06:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-11 15:32 513,024 a------- c:\windows\system32\wlansvc.dll
2009-07-11 15:32 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 15:32 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 15:29 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-07-10 02:23 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-10 02:23 86,016 a------- c:\windows\inf\infstor.dat
2009-07-10 02:23 51,200 a------- c:\windows\inf\infpub.dat
2008-08-01 19:57 56 a---h--- c:\programdata\ezsidmv.dat
2008-08-01 19:57 56 a---h--- c:\progra~2\ezsidmv.dat
2008-07-28 10:08 174 a--sh--- c:\program files\desktop.ini
2008-07-28 09:58 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-06-22 15:29 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-22 15:29 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-22 15:29 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-22 15:29 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-03-29 19:19 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 12:17:47.45 ===============

Attached Files

#4 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 AM

Posted 02 October 2009 - 11:24 AM

Hi cdrhra,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Note 1: Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Note 2: One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.

Removal Instructions
  • I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:


    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.
    Note:When everything is done and your log is clean again, you can enable it again.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  • Download ComboFix from one of these locations and save it to your desktop, but rename it to far.exe before saving it:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • If needed let it to reboot and post the log it creates (c:\combofix.log).

#5 cdrhra

  • Topic Starter

  • Members
  • 5 posts
  • Local time:04:06 AM

Posted 03 October 2009 - 01:52 PM

Farbar, thanks for your advice. The computer has been disconnected from the internet from shortly after I posted, but it was still connected for awhile after we started to have the programs. Looks like I need to do a reformat and reinstall. I have files backed up to an external hard drive using windows vista back-up. My automatic back-ups periodically failed because of some problem with the system being unable to find the firewire external drive. I think I have one within a month of problems starting. I can set it up to run an on demand back-up now.

I had been told that my son was no longer using peer-peer, but what about media files that had been downloaded using that? They will have been backed-up. Is there concern about the back-up drive being infected? If so, is it sufficient to scan the back-up drive with antivirus program and Malwarebytes?

The computer seems to do better in safe mode. If I I do a current back-up, should I do it in safe mode?

Thanks again

#6 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 AM

Posted 03 October 2009 - 06:33 PM

The type of infection on your computer doesn't tend to infect files, specially media files. Those file should normally be safe. Running antivirus and anti-spyware on the hard drive should do the job. But if there are archived/compressed password protected files (specially those with a crack or key generator) the security programs can't open them to scan the content of them.

The computer seems to do better in safe mode. If I I do a current back-up, should I do it in safe mode?

Yes you might be able to backup in Safe Mode with less interference.

#7 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 AM

Posted 11 October 2009 - 07:45 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users