Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic 17.AYMR & others in vault


  • This topic is locked This topic is locked
16 replies to this topic

#1 grg.clny

grg.clny

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 17 April 2010 - 03:26 PM

I have Windows XP Service Pack 3. I already have AVG 8.5, Dr. Web Cure it, Spybot SD, Malwarebytes, SuperAntiSpyware, SpywareBlaster, and ATF Cleaner. They were already installed and working before any of this happened.

In the AVG vault I have the virus name: Trojan Horse Generic 17.AYMR and five others named Trojan Horse Generic 17.AYEN
They all have a different Path to File description. The last threat to pop up was:

File name: listprofitcoach.com/news/march.html
Threat name: Exploit Neosploit Toolkit(type 779)

It was detected by AVG but I did not have the option to move it to the vault.
During the trojan horse threats I did have the "XP Smart Firewall Alert" which looked like the fake threat screen shots I have seen on bleeping computer. I was careful not to click on it. I moved the Trojan horse threats to vault and this problem has not come back. My searches with google and yahoo are still being redirected. I am looking for instructions on what I should do next. I am being careful not to make things worse. I hope the description of my problem has been made clear. I would be grateful for some help. I have some technical ability but fixing computer viruses is out of my league. I thank you for your time and patience.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 17 April 2010 - 10:30 PM

Please do this first.

Run
RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 April 2010 - 01:08 PM

I downloaded rkill to my desktop. I ran the program and saw the DOS box for a few seconds and then it disappeared. I tried to to open Malwarebytes and I got this message:

"This file does not have a file associated with it for performing this action. Create an association in the Folder Options control panel."

The desktop icon for Malwarebytes has not changed but I have noticed the icons for ATF cleaner and Dr Web Cure it have changed.
What should I do next? Thank you.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 18 April 2010 - 02:02 PM

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 April 2010 - 02:31 PM

I downloaded the EXE File Association Fix zip file. Opened file and was able to open, update, and run Malwarebytes.
MBAM found two threats and I clicked Remove Selected. My scan log is as follows:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2010 2:25:28 PM
mbam-log-2010-04-18 (14-25-28).txt

Scan type: Quick scan
Objects scanned: 114567
Time elapsed: 10 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iaanotif (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.


I am rebooting now.

Edited by grg.clny, 18 April 2010 - 03:06 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 18 April 2010 - 03:13 PM

Now run TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Reboot again into Safe mode and scan with SUPER
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 April 2010 - 05:36 PM

I ran TFC and rebooted. I then rebooted again in safe mode. I ran a complete scan with SuperASpyware and removed threats. Rebooted again to complete removal of threats. Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2010 at 05:14 PM

Application Version : 4.35.1002

Core Rules Database Version : 4820
Trace Rules Database Version: 2632

Scan type : Complete Scan
Total Scan Time : 01:33:49

Memory items scanned : 239
Memory threats detected : 0
Registry items scanned : 6397
Registry threats detected : 17
File items scanned : 87338
File threats detected : 27

Trojan.Agent/Gen-Virut
[ehTray] C:\WINDOWS\EHOME\EHTRAY.EXE
C:\WINDOWS\EHOME\EHTRAY.EXE
[ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
[CTDVDDET] C:\PROGRAM FILES\CREATIVE\SBAUDIGY2ZS\DVDAUDIO\CTDVDDET.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY2ZS\DVDAUDIO\CTDVDDET.EXE
[DVDLauncher] C:\PROGRAM FILES\CYBERLINK\POWERDVD\DVDLAUNCHER.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\DVDLAUNCHER.EXE
[ISUSPM Startup] C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM .EXE
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM .EXE
[HP Software Update] C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
[Adobe Reader Speed Launcher] C:\PROGRAM FILES\ADOBE\READER 8.0\READER\READER_SL.EXE
C:\PROGRAM FILES\ADOBE\READER 8.0\READER\READER_SL.EXE
[AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\AVGTRAY.EXE
C:\PROGRA~1\AVG\AVG8\AVGTRAY.EXE
[iTunesHelper] C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
[WMPNSCFG] C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNSCFG.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNSCFG.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CTDVDDET.EXE
C:\PROGRAM FILES\AVG\AVG8\AVGTRAY.EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
C:\WINDOWS\FONTS\GR14CVF2B.COM_

Trojan.RootKit/Gen
HKLM\System\ControlSet001\Services\k
C:\WINDOWS\SYSTEM32\O.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_k
HKLM\System\ControlSet002\Services\k
HKLM\System\ControlSet002\Enum\Root\LEGACY_k
HKLM\System\CurrentControlSet\Services\k
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_k

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atlas.entrepreneur[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.googleadservices[1].txt

I checked google and yahoo and my search results are still being redirected? Thank you.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 18 April 2010 - 07:30 PM

We need to double check the Virut finding,this is a serious malware.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 April 2010 - 07:56 PM

BitDefender stated No Infections Found?
Here is the report. Very Long:


QuickScan Beta 32-bit v0.9.9.18
-------------------------------

Scan date: Sun Apr 18 19:47:28 2010
Machine ID: 5C2B0FB7



No infection found.
-------------------



Processes
---------
<unsigned> BVRP Software TestLine 3400 C:\Program Files\Digital

Line Detect\DLG.exe
<unsigned> Creative Service for CDROM Access 1704

C:\WINDOWS\system32\CTsvcCDA.EXE
<unsigned> Creative Volume Control 3316 C:\Program

Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
<unsigned> Drive Letter Access Component 3344

C:\WINDOWS\system32\dla\tfswctrl.exe
<unsigned> HP PML 348

C:\WINDOWS\system32\HPZipm12.exe
<unsigned> Mavis Beacon Personal Coach v 2.0 3432 C:\Program

Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
<unsigned> RAID Monitor 256 C:\Program Files\Intel\Intel

Matrix Storage Manager\iaantmon.exe

<verified> Apple Mobile Device Service 1612 C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> ATI External Event Utility for WindowsN 992

C:\WINDOWS\system32\Ati2evxx.exe
<verified> AVG Internet Security 1152 C:\Program

Files\AVG\AVG8\avgcsrvx.exe
<verified> AVG Internet Security 2356 C:\Program

Files\AVG\AVG8\avgcsrvx.exe
<verified> AVG Internet Security 748 C:\Program

Files\AVG\AVG8\avgemc.exe
<verified> AVG Internet Security 576 C:\Program

Files\AVG\AVG8\avgnsx.exe
<verified> AVG Internet Security 560 C:\Program

Files\AVG\AVG8\avgrsx.exe
<verified> AVG Internet Security 1636 C:\Program

Files\AVG\AVG8\avgwdsvc.exe
<verified> Bonjour 1664 C:\Program

Files\Bonjour\mDNSResponder.exe
<verified> Firefox 2628 C:\Program Files\Mozilla

Firefox\firefox.exe
<verified> Microsoft® Windows® Operating System 1808 C:\Program Files\Windows

Media Player\WMPNetwk.exe
<verified> Microsoft® Windows® Operating System 1876 C:\WINDOWS\eHome\ehRecvr.exe
<verified> Microsoft® Windows® Operating System 1992 C:\WINDOWS\eHome\ehSched.exe
<verified> Microsoft® Windows® Operating System 1656 C:\WINDOWS\ehome\mcrdsvc.exe
<verified> Microsoft® Windows® Operating System 1924 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 2792 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 708

C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 3360

C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 3004

C:\WINDOWS\system32\dllhost.exe
<verified> Microsoft® Windows® Operating System 800

C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 788

C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 656 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1496

C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 472

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 212

C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1564

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1368

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1276

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1192

C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 544

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1144

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1020

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 484

C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 736

C:\WINDOWS\system32\winlogon.exe
<verified> SUPERAntiSpyware 3972 C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


Network activity
----------------
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 216.137.43.193
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 74.125.95.118
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 74.125.95.118
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 216.137.43.7
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 209.85.225.138
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199
Process avgnsx.exe (576) connected on port 80 (HTTP) --> 66.211.50.199

Process svchost.exe (1144) listens on ports: 135 (RPC)


Autoruns and critical files
---------------------------
<unsigned> Creative Volume Control C:\Program

Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
<unsigned> Drive Letter Access Component C:\WINDOWS\system32\dla\tfswctrl.exe
<unsigned> hp digital imaging C:\Program Files\HP\Digital

Imaging\bin\hpqthb08.exe
<unsigned> hp digital imaging C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
<unsigned> QuickTime C:\Program Files\QuickTime\QTTask

.exe
<unsigned> SuperAntiSpyware C:\Program

Files\SUPERAntiSpyware\SASSEH.DLL
<unsigned> SUPERAntiSpyware WinLogon Processor C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll

<verified> Apple Software Update C:\Program Files\Apple Software

Update\SoftwareUpdate.exe
<verified> AVG Internet Security C:\WINDOWS\system32\avgrsstx.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System

C:\WINDOWS\system32\wpdshserviceobj.dll
<verified> Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
<unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> DeleteMe1.exe C:\Program Files\Mozilla

Firefox\plugins\DeleteMe1.exe
<unsigned> Drive Letter Access Component c:\windows\system32\dla\tfswshx.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program

Files\dwusplay.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program

Files\dwusplay.exe
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program

Files\isusweb.dll
<unsigned> MetaStream 3 Plugin C:\Program Files\Viewpoint\Viewpoint

Experience Technology\npViewpoint.dll
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\mpvis.dll
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\msoobci.dll
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\SETF6.tmp
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\setup_wm.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmdbexport.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmlaunch.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmpband.dll
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmpenc.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmplayer.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmpnetwk.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmpnscfg.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmpnssci.dll
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmpshare.exe
<unsigned> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\wmsetsdk.exe
<unsigned> Mozilla ActiveX control and plugin supp C:\Program Files\Mozilla

Firefox\plugins\npmozax.dll
<unsigned> NPCIG.dll C:\Program Files\Canon\ZoomBrowser

EX\Program\NPCIG.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet

Explorer\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin7.dll
<unsigned> Shockwave for Director

C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
<unsigned> VLC Multimedia Plugin C:\Program

Files\VideoLAN\VLC\npvlc.dll

<verified> AcroIEHelper Library c:\program files\common

files\adobe\acrobat\activex\acroiehelper.dll
<verified> Adobe Acrobat C:\Program Files\Internet

Explorer\plugins\nppdf32.dll
<verified> Adobe Acrobat C:\Program Files\Mozilla

Firefox\plugins\nppdf32.dll
<verified> AVG Internet Security c:\program

files\avg\avg8\avgssie.dll
<verified> AVG Security Toolbar c:\program

files\avg\avg8\toolbar\ietoolbar.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Ryan

Mcspadden\Application

Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-816873

6a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Ryan

Mcspadden\Application

Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-816873

6a2360}\plugins\npqscan.dll
<verified> Java Deployment Toolkit 6.0.190.4 C:\Program Files\Mozilla

Firefox\plugins\npdeploytk.dll
<verified> Messenger C:\Program

Files\Messenger\msmsgs.exe
<verified> Microsoft® DRM C:\Program Files\Mozilla

Firefox\plugins\npdrmv2.dll
<verified> Microsoft® Windows Media Services C:\Program Files\Mozilla

Firefox\plugins\migrate.exe
<verified> Microsoft® Windows® Operating System C:\Program Files\Mozilla

Firefox\plugins\custsat.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla

Firefox\plugins\npnul32.dll
<verified> npitunes.dll C:\Program Files\iTunes\Mozilla

Plugins\npitunes.dll
<verified> NPSibelius.dll C:\Program Files\Mozilla

Firefox\plugins\NPSibelius.dll
<verified> NPSWF32.dll

C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> ScorchPDFWrapper.dll C:\Program Files\Mozilla

Firefox\plugins\ScorchPDFWrapper.dll
<verified> sdhelper.dll c:\program files\spybot - search &

destroy\sdhelper.dll
<verified> Silverlight Plug-In c:\Program Files\Microsoft

Silverlight\3.0.50106.0\npctrl.dll
<verified> Windows Presentation Foundation

c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Yahoo! activeX Plug-in Bridge C:\Program

Files\Yahoo!\Common\npyaxmpb.dll


Missing files
-------------
File not found: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"ISUSScheduler"

File not found: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"SpybotSD TeaTimer"

File not found: C:\WINDOWS\UpdReg.EXE
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"UpdReg"

File not found: CTHELPER.EXE
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"CTHelper"

File not found: c:\program files\java\jre6\bin\jp2ssv.dll
referenced in:

HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InprocServer32\(default)


Scan
----
<unsigned> MD5: 031ccdff85a57172f3402cb99b3e9d46 C:\Documents and Settings\Ryan

Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
<unsigned> MD5: 11ab72d5d603db401c190b454fb935a7 C:\Documents and Settings\Ryan

Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
<unsigned> MD5: 292f92469efb2fd402e00742c06d539d C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> MD5: 4cc8d65336ba1e6bd6013a4eb5cd15e5 C:\Program Files\Broderbund\Mavis

Beacon Teaches Typing 15\KeyHook.dll
<unsigned> MD5: bd4b1fd64b314aeee37a47c92d28cf15 C:\Program Files\Broderbund\Mavis

Beacon Teaches Typing 15\minimavis.exe
<unsigned> MD5: 8ba469072b5a692b659f856c7e97a230 C:\Program Files\Canon\ZoomBrowser

EX\Program\NPCIG.dll
<unsigned> MD5: 2094bc9a0fc9c0e15eea5f4a9581dd14 C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\pdfshell.dll
<unsigned> MD5: 1cf03c69b49acb70c722df92755c0c8c C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
<unsigned> MD5: bf0e5ea6d7e0b0bfd5de3e34b918fddf C:\Program

Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.crl
<unsigned> MD5: e7d1d8179fe03e2bc569a92b56509414 C:\Program

Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
<unsigned> MD5: 8084668d40e5eb157839c5519e533541 C:\Program Files\Creative\Shared

Files\CTIniF.dll
<unsigned> MD5: 8b29a4110cda0dda453815094d5e993e C:\Program Files\Creative\Shared

Files\CtrlSrc.dll
<unsigned> MD5: d8c2d5fde64ba6ec386143a18f26d86a C:\Program Files\Creative\Shared

Files\CTTheme.dll
<unsigned> MD5: 442c41115777530f69c7a7f24f649a1e C:\Program Files\Creative\Shared

Files\GDICtrl.skc
<unsigned> MD5: eb52ca051675fabf68c8d57552568db2 C:\Program Files\Creative\Shared

Files\GDICtrl2.skc
<unsigned> MD5: f5b64b85629204cecf1282ba35eb23e8 C:\Program Files\Creative\Shared

Files\GDICtrl3.skc
<unsigned> MD5: b5d3f04b0ee2a1d903e9b3b9a40b054c C:\Program Files\Creative\Shared

Files\MxLib.dll
<unsigned> MD5: 4d67a37b25c664774011929c4746b73d C:\Program Files\Creative\Shared

Files\RtxCtrl.skc
<unsigned> MD5: a476968c08667b1e09f2a95234e8ceef C:\Program Files\Digital Line

Detect\BVRPDiag.dll
<unsigned> MD5: b66e56733e2cd6a10fda5919625fbf46 C:\Program Files\Digital Line

Detect\DLG.exe
<unsigned> MD5: b2ddff1f7ff31e8103dc221772353417 C:\Program Files\HP\Digital

Imaging\bin\hpqthb08.exe
<unsigned> MD5: 3a6ca22b20d307adf63931c9fc42274a C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
<unsigned> MD5: d43e91e271c041bb86a6223462a41d28 C:\Program Files\Intel\Intel Matrix

Storage Manager\iaantmon.exe
<unsigned> MD5: 9da26b773bd04b867a8e9f427cd048fc C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Internet

Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 26b018758226a5dc06de45496c394d40 C:\Program Files\Mozilla

Firefox\freebl3.dll
<unsigned> MD5: 9dfb30f203999a3ae0f258a33fa598f9 C:\Program Files\Mozilla

Firefox\nssdbm3.dll
<unsigned> MD5: fb5f6f37a1d2905ba23be5e01ae87e1b C:\Program Files\Mozilla

Firefox\plugins\DeleteMe1.exe
<unsigned> MD5: 3f17f16377aa90be64365da1730ad201 C:\Program Files\Mozilla

Firefox\plugins\mpvis.dll
<unsigned> MD5: 8d986f208227d9cc31b0449a2928e978 C:\Program Files\Mozilla

Firefox\plugins\msoobci.dll
<unsigned> MD5: bb2fd4632cbf410c584bab0be026b733 C:\Program Files\Mozilla

Firefox\plugins\npmozax.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: 344946dc304c67c95a8e833379f6c438 C:\Program Files\Mozilla

Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: b98db9712376e47933f3ae0ced384b6b C:\Program Files\Mozilla

Firefox\plugins\SETF6.tmp
<unsigned> MD5: 24d26dbd0622b5419156a6feaf257595 C:\Program Files\Mozilla

Firefox\plugins\setup_wm.exe
<unsigned> MD5: 0d385cdf14af477cc35f1caa02a6d51d C:\Program Files\Mozilla

Firefox\plugins\wmdbexport.exe
<unsigned> MD5: 150fedd8e3f26af6a222fe5fc005c0d0 C:\Program Files\Mozilla

Firefox\plugins\wmlaunch.exe
<unsigned> MD5: b98db9712376e47933f3ae0ced384b6b C:\Program Files\Mozilla

Firefox\plugins\wmpband.dll
<unsigned> MD5: e8780c31186a8055fc420da009209f4e C:\Program Files\Mozilla

Firefox\plugins\wmpenc.exe
<unsigned> MD5: 8f3cee86d8c6374b5971e0a04a1008f2 C:\Program Files\Mozilla

Firefox\plugins\wmplayer.exe
<unsigned> MD5: 4f51f2688c51520211c3810c8548e639 C:\Program Files\Mozilla

Firefox\plugins\wmpnetwk.exe
<unsigned> MD5: ace1b5c450c57dfb0b105d196700053f C:\Program Files\Mozilla

Firefox\plugins\wmpnscfg.exe
<unsigned> MD5: 493f7047d4ab7f4e867fa2168ff605d5 C:\Program Files\Mozilla

Firefox\plugins\wmpnssci.dll
<unsigned> MD5: 8c335e2e15edb053595904ffe66ec5af C:\Program Files\Mozilla

Firefox\plugins\wmpshare.exe
<unsigned> MD5: 24d26dbd0622b5419156a6feaf257595 C:\Program Files\Mozilla

Firefox\plugins\wmsetsdk.exe
<unsigned> MD5: 1fd6c03c0001a5e1eaf61596c2502f0c C:\Program Files\Mozilla

Firefox\softokn3.dll
<unsigned> MD5: 55d7a219ad8d0db8980528944152a6fd C:\Program Files\QuickTime\QTTask

.exe
<unsigned> MD5: 31a7aa2dedefbd3927b0cade051aac2c C:\Program

Files\SUPERAntiSpyware\deupx.dll
<unsigned> MD5: d617404d119b1db10366692447d8a648 C:\Program

Files\SUPERAntiSpyware\SASCTXMN.DLL
<unsigned> MD5: ecd5517a6633826057d4f050927ddf56 C:\Program

Files\SUPERAntiSpyware\SASSEH.DLL
<unsigned> MD5: 482e8f6fd557d5a0df7363f72df145fe C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
<unsigned> MD5: 8df422ffb0b4807871b070294ea4ddae C:\Program

Files\VideoLAN\VLC\npvlc.dll
<unsigned> MD5: bcdff548f7d31a2bcf1cf98da7eb5445 C:\Program Files\Viewpoint\Viewpoint

Experience Technology\npViewpoint.dll
<unsigned> MD5: c8d9e629a0cf925b4b76be92793c0cf9 C:\WINDOWS\CTDCRES.DLL
<unsigned> MD5: 3fea9d2edf23b0283c7a66c8dea380bd C:\WINDOWS\Downloaded Program

Files\dwusplay.dll
<unsigned> MD5: cdbe35ea59bc9223e4f800bd1db82d27 C:\WINDOWS\Downloaded Program

Files\dwusplay.exe
<unsigned> MD5: d8fb851a9fbd62352fd74283f9c14c77 C:\WINDOWS\Downloaded Program

Files\isusweb.dll
<unsigned> MD5: f7e675ebde6da3a1665f2dcfa683322f

C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
<unsigned> MD5: 3c8b6609712f4ff78e521f6dcfc4032b C:\WINDOWS\system32\CTsvcCDA.EXE
<unsigned> MD5: d0177776e11b0b3f272eebd262a69661 C:\WINDOWS\system32\dla\tfsnboio.sys
<unsigned> MD5: 599804bc938b8305a5422319774da871 C:\WINDOWS\system32\dla\tfsncofs.sys
<unsigned> MD5: a1902c00adc11c4d83f8e3ed947a6a32 C:\WINDOWS\system32\dla\tfsndrct.sys
<unsigned> MD5: d8ddb3f2b1bef15cff6728d89c042c61 C:\WINDOWS\system32\dla\tfsndres.sys
<unsigned> MD5: c4f2dea75300971cdaee311007de138d C:\WINDOWS\system32\dla\tfsnifs.sys
<unsigned> MD5: 272925be0ea919f08286d2ee6f102b0f C:\WINDOWS\system32\dla\tfsnopio.sys
<unsigned> MD5: 7b7d955e5cebc2fb88b03ef875d52a2f C:\WINDOWS\system32\dla\tfsnpool.sys
<unsigned> MD5: e3d01263109d800c1967c12c10a0b018 C:\WINDOWS\system32\dla\tfsnudf.sys
<unsigned> MD5: b9e9c377906e3a65bc74598fff7f7458 C:\WINDOWS\system32\dla\tfsnudfa.sys
<unsigned> MD5: 996e0f51ac076b2e0d851af333ad17b9 C:\WINDOWS\system32\dla\tfswcres.dll
<unsigned> MD5: 352fbf618066d0ceb7dc8ecabeb1a8d7 C:\WINDOWS\system32\dla\tfswctrl.exe
<unsigned> MD5: ecbb15757c8dfcb1d23685fc2b96b898 c:\windows\system32\dla\tfswshx.dll
<unsigned> MD5: 96bc8f872f0270c10edc3931f1c03776

C:\WINDOWS\system32\drivers\drvmcdb.sys
<unsigned> MD5: 5afbec7a6ac61b211633dfdb1d9e0c89

C:\WINDOWS\system32\drivers\DRVNDDM.sys
<unsigned> MD5: f7bb4e7a7c02ab4a2672937e124e306e

C:\WINDOWS\System32\Drivers\PxHelp20.sys
<unsigned> MD5: 98625722ad52b40305e74aaa83c93086

C:\WINDOWS\system32\drivers\sscdbhk5.sys
<unsigned> MD5: d79412e3942c8a257253487536d5a994 C:\WINDOWS\system32\drivers\SSRTLN.sys
<unsigned> MD5: e5a93f799298147e169d689969d5c73f C:\WINDOWS\system32\HPTcpMib.dll
<unsigned> MD5: e965160b09675e027ef8235ef90eb405 C:\WINDOWS\system32\HPTcpMon.dll
<unsigned> MD5: 219541b30b162b7bd1202a252c56f941 C:\WINDOWS\system32\HPTcpMUI.dll
<unsigned> MD5: 2d091a99624fb9e7eef0a86d872ec0c3 C:\WINDOWS\system32\HPZipm12.exe
<unsigned> MD5: b85ec14c7a5f7b2c8d70d4443486dd77 C:\WINDOWS\system32\hpzjrd01.dll
<unsigned> MD5: 945dd2b6ef30ef4da0e32a0b7159cbba C:\WINDOWS\system32\tfswapi.dll
<unsigned> MD5: 1b7524806d0270b81360c63a2fa047cb

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc

80.dll
<unsigned> MD5: 9090454e6772f7cfbce240bf4dc5f7e8

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\

mfc80ENU.dll

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\Mozilla Firefox\plugins\wmdbexport.exe

Upload started - 1 file(s)
wmdbexport.exe (466944)
Upload speed - 25 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 21 sec
Total traffic - 0.51 MB sent, 3.24 KB recvd
Scanned 1193 files and modules - 194 seconds

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 18 April 2010 - 09:20 PM

Ok that was refreshing. I suspect you may have an exploitable area in Java and/or Adobe.

Please check JAVA
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

Update Adobe reader
http://get.adobe.com/reader/
UNCHECK this box Free Google Toolbar (optional)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 April 2010 - 10:05 PM

I updated Adobe reader. I went to control panel >Add or Remove Programs. I do not have any Java programs listed.
Within the last week or two I downloaded the latest Java update and then went to remove the old versions. I must have removed/uninstalled all of them? I double checked and do not see any Java.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 18 April 2010 - 10:17 PM

Well that's means it cannot be exploited. If you find the need for it later you can install from thise instructions.
You have to check on Adobe and Java for updates. They are are exploited by malware and that's why they update it.


Looks clean ,if all else is OK then... Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 19 April 2010 - 12:43 PM

I checked Firefox and IE and I am still getting redirected with my yahoo and google searches. It does not happen with every search result but I still get a few. Is there anything else I can do? I really appreciate the help. If there is any other information I can provide to help with this let me know.

I also had a "HPProduct Assistant" window pop up when the computer is rebooted. I stopped it with the Windows Task Manager. I have a HP printer but this does not look like the HP update window I normally get. I do not know if this is fake or is helpful to you. I do not know how to save a screen shot. Thanks

Edited by grg.clny, 19 April 2010 - 12:48 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:57 AM

Posted 19 April 2010 - 12:54 PM

Hi, seems a lingering malware is being protected by a driver or a service.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 19 April 2010 - 02:04 PM

I was in the middle of my Gmer scan and I got this pop up window: gmer.exe had encountered a problem and needs to close. We are sorry for the inconvenience.

I can "click here" For more information or click "Close" ?

Update: My computer completely locked up after this. The only thing I could do was pull the plug on the power. Not sure where I need to start at. Go back to step 6 or just rerun the GMER scan?

Edited by grg.clny, 19 April 2010 - 03:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users