Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torpig report from ISP (computer 4-Gateway laptop Vista)


  • This topic is locked This topic is locked
16 replies to this topic

#1 bcoleinaz

bcoleinaz

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 12 June 2010 - 05:31 PM

My ISP (Qwest) has repeatedly blocked my internet access due to malware/bot detection over the past 3 months.

I have 5 computers on my network, but Qwest is not able to tell me which one it is coming from. I will submit a separate topic for each computer. This one is for a Gateway laptop running windows Vista Home SP1 wireless to the router.

When this started happening, I was using ZoneAlarm Extreme Security only for my computer security.
My ISP (Qwest) has suggested many different software solutions, which I have implemented and scanned with. They include Microsoft Malicious Software Removal Tool, TrendMicro RUBotted, BotHunter, Microsoft Security Essentials. I have also received information from several local computer techs to use MalwareBytes, SuperAntiSpyware, AVG free and Avast Anti-virus. The last one I spoke with said everything Qwest has suggested is useless as is AVG free and ZoneAlarm (except maybe the firewall). He recommends MalwareBytes, SuperAntiSpyware and Avast. I have been unable to install and run Avast on this computer, as the computer will not run, but freezes when I install it. As soon as I uninstall it again, the computer runs.
Quick scans by any of these programs find nothing. Full scans produce adware cookies, but nothing else for the past month+. I pretty much run a full scan by one of them each day and remove anything that they find.

Here is the most recent log Qwest sent me of the detected Bot activity. This is the first time I have heard that it is Torpig, which I guess is an infection of the master boot record, which can cause all the other programs to not be able to detect it.

Date & Time (GMT) Source Port MW Type
Date/Time Seen (GMT) Infection Data (*)
--------------- -------------------- ------------------------------
date: 2010-05-27 list: bots
2010-05-26 18:02:15 srcport 13466 mwtype Torpig destaddr 91.20.208.178
2010-05-26 18:02:49 srcport 13467 mwtype Torpig destaddr 91.20.208.178
2010-05-26 21:03:49 srcport 22708 mwtype Torpig destaddr 91.20.208.178
2010-05-26 21:04:25 srcport 22709 mwtype Torpig destaddr 91.20.208.178

Here is the most recent email Qwest sent me to resolve the problem.

--------------Begin Email-------------
Mebroot is a rootkit, which means that the master boot record itself is infected. Trend Micro suggests performing a system recovery in addition to updating and running the latest antivirus:
http://www.trendmicro.com/vinfo/virusencyc...AD&VSect=Sn
Looks like McAfee suggests similar steps:
http://vil.nai.com/vil/content/v_143908.htm#tab5
It looks like Torpig/Anserin removal isn't complete until registry keys are removed.
Symantec:
http://www.symantec.com/security_response/...-99&tabid=3
Torpig is also on the list of signatures that the Microsoft Malicious Software Removal Tool has:
http://www.microsoft.com/security/malwareremove/default.mspx
--------------End of Email---------------

I first downloaded and scanned with the Microsoft Malicious Software Removal Tool, which found nothing.

When I attempted to use the Windows Recovery Console and use "fixmbr", I got the following message:
** CAUTION **
This computer appears to have a non-standard or invalid master boot record.

FIXMBR could cause all the partitions on the current hard disk to become inaccessible.

If you are not having problems accessing your drive, do not continue.

Are you sure you want to write a new MBR?

----------------------------------------------
Since I am not having problems accessing my drive, it does not seem that I should continue.
Therefore, I answered N and exited the process.

That is when I did more research and found your website.

I have run the steps as specified in the Preparation Guide.

Following is DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 6:40:30.37 on Sat 06/12/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.957.111 [GMT -7:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\tlntsvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\1176845002\ee\aolsoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://air1.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Windows Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [MRC] "c:\program files\pc tune-up\PCTuneUp.exe" /MBRSTART
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.0a\AOL.EXE" -b
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [HostManager] "c:\program files\common files\aol\1176845002\ee\AOLSoftware.exe"
mRun: [WordPerfect Office 1215] "c:\program files\wordperfect office 12\programs\Registration.exe" /title="WordPerfect Office 12" /date=092107 serial=wo12wrx-0000002-hbu lang=EN
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag spirit\AGRemind.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Plant%20Tycoon/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://www.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://www.playfirst.com/play/game/trijinx/TriJinx.1.0.0.86.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.playfirst.com/play/game/dinerdash2/DinerDash2.1.0.0.67.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.playfirst.com/play/game/dreamchronicles/dreamweb.1.0.0.9.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.playfirst.com/play/game/luxor/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.playfirst.com/play/game/dinerdashfloonthego/ddfotg.1.0.0.32.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Plant%20Tycoon/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.playfirst.com/play/game/feedingfrenzy/SproutLauncher.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://download.playfirst.com/play/game/sweetopia/Sweetopia.1.0.0.22.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: DfLogon - LogonDll.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://air1.com/
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-6 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-6 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-6 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-6 40384]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-2 78104]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-3-12 582992]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-6 40384]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\drivers\RTL85n86.sys [2006-11-2 311808]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-3-12 206608]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-11-20 21504]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-3-12 206608]

=============== Created Last 30 ================

2010-06-12 13:31:01 0 ----a-w- c:\users\owner\defogger_reenable
2010-06-12 10:42:47 0 d-----w- c:\program files\Windows Portable Devices
2010-06-12 10:42:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-06-12 10:23:35 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-06-12 10:23:33 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-06-12 10:23:32 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-06-12 10:21:59 481792 ----a-w- c:\windows\system32\dxgi.dll
2010-06-12 10:21:59 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-06-12 10:21:59 1030144 ----a-w- c:\windows\system32\d3d10.dll
2010-06-12 10:16:27 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-12 10:16:26 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-12 10:16:26 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-06-12 08:49:50 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-06-12 08:49:48 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-12 08:49:47 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-12 03:42:38 0 d-----w- c:\windows\system32\eu-ES
2010-06-12 03:42:38 0 d-----w- c:\windows\system32\ca-ES
2010-06-12 03:42:36 0 d-----w- c:\windows\system32\vi-VN
2010-06-11 22:43:48 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-11 22:43:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 22:43:13 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 22:34:47 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 15:51:20 0 d-----w- c:\windows\system32\EventProviders
2010-06-10 22:57:30 0 d-----w- c:\users\owner\appdata\roaming\licenses
2010-06-10 22:57:27 0 d-----w- c:\users\owner\appdata\roaming\PCMM2009
2010-06-10 22:57:16 0 d-----w- c:\users\owner\appdata\roaming\PCMM2010
2010-06-08 20:00:37 0 d-----w- C:\7d7455a7af5ce4dadd748d2ad52e
2010-05-27 22:25:24 0 d-----w- c:\program files\Ask.com
2010-05-27 22:23:30 0 d-----w- c:\program files\Foxit Software
2010-05-26 19:45:06 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 00:50:36 864 ----a-w- c:\users\owner\.recently-used.xbel

==================== Find3M ====================

2010-06-12 10:42:33 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-12 10:42:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-12 10:42:32 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-12 10:42:32 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-12 02:58:16 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 16:31:23 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-21 00:49:13 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-03-02 03:07:59 32768 --sha-w- c:\windows\temp\cookies\index.dat
2010-03-02 03:07:59 49152 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-03-02 03:07:59 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 6:44:30.65 ===============

I had several problems running GMER. The computer repeatedly completely crashed - black screen. I then began watching it and saved the ark.txt file several times during the process. The one attached is done before the scan finished. It stopped while scanning the following entry.
\Device\HarddiskVolumeShadowCopy1
I then received the following message from Windows:
--------error message follows-----------
Microsoft Windows
gmer.exe has stopped working
A problem caused the program to stop working correctly.
Windows will close the program and notify you if a solution
is available.

-----------end of message--------------
Both attached.txt and ark.txt are zipped.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 AM

Posted 21 June 2010 - 02:20 PM

Greetings

Let me think a little while about the other problem.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 21 June 2010 - 04:25 PM

ComboFix had completed stage_50.
Then the computer screen went blue - no message - only straight white lines from top to bottom (almost like it was trying to print a message, but that the pixels got stuck and just repeated down the screen.)

#4 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 21 June 2010 - 05:58 PM

Should I just run ComboFix again?

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 AM

Posted 21 June 2010 - 06:10 PM

Yes please do

Did you have to restart or what happened?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 June 2010 - 01:43 AM

Yes, I had to reboot.

Here's the ComboFix log
ComboFix 10-06-21.01 - Owner 06/21/2010 23:03:01.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.957.283 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dfinstall.log
c:\programdata\Windows
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-22 06:21 . 2010-06-22 06:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-22 06:21 . 2010-06-22 06:21 -------- d-----w- c:\users\Experience\AppData\Local\temp
2010-06-18 23:47 . 2010-06-18 23:47 -------- d-----w- c:\users\Owner\AppData\Roaming\Facebook
2010-06-12 10:42 . 2010-06-12 10:42 -------- d-----w- c:\program files\Windows Portable Devices
2010-06-12 10:23 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-06-12 10:23 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-06-12 10:23 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-06-12 10:21 . 2009-09-25 01:31 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-06-12 10:21 . 2009-09-25 01:31 1030144 ----a-w- c:\windows\system32\d3d10.dll
2010-06-12 10:21 . 2009-09-25 01:30 481792 ----a-w- c:\windows\system32\dxgi.dll
2010-06-12 10:19 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-06-12 10:19 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-06-12 10:19 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-06-12 10:19 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-06-12 10:19 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-06-12 10:19 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-06-12 10:19 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-06-12 10:19 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-06-12 10:19 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-06-12 10:19 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-06-12 10:19 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-06-12 10:19 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-06-12 10:16 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-12 10:16 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-12 10:16 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-06-12 08:49 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-06-12 08:49 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-12 08:49 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-12 03:42 . 2010-06-12 03:43 -------- d-----w- c:\windows\system32\ca-ES
2010-06-12 03:42 . 2010-06-12 03:43 -------- d-----w- c:\windows\system32\eu-ES
2010-06-12 03:42 . 2010-06-12 03:43 -------- d-----w- c:\windows\system32\vi-VN
2010-06-11 22:43 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-11 22:43 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 22:43 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 22:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 15:51 . 2010-06-11 15:51 -------- d-----w- c:\windows\system32\EventProviders
2010-06-10 22:57 . 2010-06-10 23:05 -------- d-----w- c:\users\Owner\AppData\Roaming\licenses
2010-06-10 22:57 . 2010-06-10 23:03 -------- d-----w- c:\users\Owner\AppData\Roaming\PCMM2009
2010-06-10 22:57 . 2010-06-10 22:57 -------- d-----w- c:\users\Owner\AppData\Roaming\PCMM2010
2010-06-08 20:00 . 2010-06-08 20:00 -------- d-----w- C:\7d7455a7af5ce4dadd748d2ad52e
2010-05-27 22:25 . 2010-05-27 22:25 -------- d-----w- c:\program files\Ask.com
2010-05-27 22:23 . 2010-06-10 23:07 -------- d-----w- c:\program files\Foxit Software
2010-05-27 21:42 . 2010-05-27 21:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 19:45 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 21:26 . 2009-11-21 02:09 144 ----a-w- c:\windows\system32\pdfl.dat
2010-06-21 06:36 . 2010-01-08 20:38 -------- d-----w- c:\users\Owner\AppData\Roaming\Skype
2010-06-20 23:04 . 2010-01-08 20:42 -------- d-----w- c:\users\Owner\AppData\Roaming\skypePM
2010-06-16 23:49 . 2010-04-15 02:13 -------- d-----w- c:\users\Owner\AppData\Roaming\PrimoPDF
2010-06-12 10:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 10:42 . 2010-06-12 10:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-06-12 10:16 . 2007-02-28 04:57 -------- d-----w- c:\programdata\Microsoft Help
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-06-11 15:40 . 2010-05-06 17:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-27 21:25 . 2010-04-14 03:02 -------- d-----w- c:\programdata\NOS
2010-05-25 00:50 . 2008-11-30 22:40 -------- d-----w- c:\users\Owner\AppData\Roaming\gtk-2.0
2010-05-21 21:14 . 2009-11-19 05:55 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-10 07:09 . 2010-05-10 07:09 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-06 21:59 . 2010-05-06 21:59 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2010-05-06 21:59 . 2010-05-06 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 16:47 . 2010-05-06 18:08 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-05-06 18:08 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-05-06 18:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-05-06 18:12 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-05-06 18:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-05-06 18:12 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-14 16:31 . 2010-05-06 18:12 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Windows Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"MRC"="c:\program files\PC Tune-Up\PCTuneUp.exe" [2009-10-06 2960704]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AOL Fast Start"="c:\program files\AOL 9.0a\AOL.EXE" [2006-11-10 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"HostManager"="c:\program files\Common Files\AOL\1176845002\ee\AOLSoftware.exe" [2006-09-26 50736]
"WordPerfect Office 1215"="c:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG Spirit\AGRemind.exe [2009-5-13 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:b7,46,86,fe,e2,09,cb,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3175163142-518575465-1637216730-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3175163142-518575465-1637216730-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3175163142-518575465-1637216730-500]
"EnableNotificationsRef"=dword:00000002

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2008-11-06 582992]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-31 67656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-10-14 25208]
S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2009-10-14 476528]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2009-09-02 78104]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2009-10-14 35448]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\DRIVERS\RTL85n86.sys [2006-11-02 311808]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://air1.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://www.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://www.playfirst.com/play/game/trijinx/TriJinx.1.0.0.86.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.playfirst.com/play/game/dreamchronicles/dreamweb.1.0.0.9.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://air1.com/
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-DfLogon - LogonDll.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 23:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(664)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'csrss.exe'(540)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll

- - - - - - - > 'csrss.exe'(604)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
Completion time: 2010-06-21 23:38:39
ComboFix-quarantined-files.txt 2010-06-22 06:38

Pre-Run: 53,716,905,984 bytes free
Post-Run: 53,771,247,616 bytes free

- - End Of File - - 9C30B16DDBADB2CC660F127BD7946E77


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 AM

Posted 22 June 2010 - 02:09 AM

Hello

this computer looks pretty good but I see alot of left overs from avast and zonealarm I think you just removed zonealarm right?

if you did then I found this tool to remove all of zonealarm
http://download.zonealarm.com/bin/free/sup.../cpes_clean.exe

If you run the tool then do it first so I can see how it did in the log

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
Driver::
vsdatant7
aswSP
aswFsBlk


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 June 2010 - 08:33 AM

I actually plan to keep avast.
As for zonealarm, I am getting rid of everything except the firewall.

#9 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 June 2010 - 11:13 AM

I'm not sure what happened.
I uninstalled zonealarm. (I will install the firewall when we are done.)
Then I started ComboFix with the script.
There was an update to a newer version, which I did, and then the scan started.
The last thing I know was that it had completed several phases & I had to leave to run an errand.
When I returned, the computer was off.
Should I just re-run ComboFix? With or without the script?

Edited by bcoleinaz, 22 June 2010 - 11:16 AM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 AM

Posted 22 June 2010 - 01:49 PM

run it without I will see what I need to see


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 June 2010 - 03:43 PM

Ok. When the scan finished & I tried to run Firefox, I received the following message:
C:\Program Files\Mozilla Firefox\firefox.exe
Illegal operation on a registry key that has been marked for deletion.
[OK]

So firefox wouldn't start. Also internet explorer wouldn't start either.
So I rebooted. They start ok now.

Here's the ComboFix log:
ComboFix 10-06-22.02 - Owner 06/22/2010 13:07:39.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.957.420 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-22 20:21 . 2010-06-22 20:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-22 20:21 . 2010-06-22 20:21 -------- d-----w- c:\users\Experience\AppData\Local\temp
2010-06-22 20:21 . 2010-06-22 20:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-22 14:03 . 2010-06-22 14:03 -------- d-----w- c:\program files\Conduit
2010-06-22 13:35 . 2010-06-22 13:35 -------- d-----w- c:\programdata\ZA_PreservedFiles
2010-06-18 23:47 . 2010-06-18 23:47 -------- d-----w- c:\users\Owner\AppData\Roaming\Facebook
2010-06-12 10:42 . 2010-06-12 10:42 -------- d-----w- c:\program files\Windows Portable Devices
2010-06-12 10:23 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-06-12 10:23 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-06-12 10:23 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-06-12 10:21 . 2009-09-25 01:31 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-06-12 10:21 . 2009-09-25 01:31 1030144 ----a-w- c:\windows\system32\d3d10.dll
2010-06-12 10:21 . 2009-09-25 01:30 481792 ----a-w- c:\windows\system32\dxgi.dll
2010-06-12 10:19 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-06-12 10:19 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-06-12 10:19 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-06-12 10:19 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-06-12 10:19 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-06-12 10:19 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-06-12 10:19 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-06-12 10:19 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-06-12 10:19 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-06-12 10:19 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-06-12 10:19 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-06-12 10:19 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-06-12 10:16 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-12 10:16 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-12 10:16 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-06-12 08:49 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-06-12 08:49 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-12 08:49 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-12 03:42 . 2010-06-12 03:43 -------- d-----w- c:\windows\system32\ca-ES
2010-06-12 03:42 . 2010-06-12 03:43 -------- d-----w- c:\windows\system32\eu-ES
2010-06-12 03:42 . 2010-06-12 03:43 -------- d-----w- c:\windows\system32\vi-VN
2010-06-11 22:43 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-11 22:43 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 22:43 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 22:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 15:51 . 2010-06-11 15:51 -------- d-----w- c:\windows\system32\EventProviders
2010-06-10 22:57 . 2010-06-10 23:05 -------- d-----w- c:\users\Owner\AppData\Roaming\licenses
2010-06-10 22:57 . 2010-06-10 23:03 -------- d-----w- c:\users\Owner\AppData\Roaming\PCMM2009
2010-06-10 22:57 . 2010-06-10 22:57 -------- d-----w- c:\users\Owner\AppData\Roaming\PCMM2010
2010-06-08 20:00 . 2010-06-08 20:00 -------- d-----w- C:\7d7455a7af5ce4dadd748d2ad52e
2010-05-27 22:25 . 2010-05-27 22:25 -------- d-----w- c:\program files\Ask.com
2010-05-27 22:23 . 2010-06-10 23:07 -------- d-----w- c:\program files\Foxit Software
2010-05-27 21:42 . 2010-05-27 21:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 19:45 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 14:03 . 2009-11-21 02:32 -------- d-----w- c:\users\Owner\AppData\Roaming\CheckPoint
2010-06-22 14:02 . 2009-11-21 02:09 -------- d-----w- c:\program files\CheckPoint
2010-06-21 06:36 . 2010-01-08 20:38 -------- d-----w- c:\users\Owner\AppData\Roaming\Skype
2010-06-20 23:04 . 2010-01-08 20:42 -------- d-----w- c:\users\Owner\AppData\Roaming\skypePM
2010-06-18 23:47 . 2010-06-18 23:47 50354 ----a-w- c:\users\Owner\AppData\Roaming\Facebook\uninstall.exe
2010-06-16 23:49 . 2010-04-15 02:13 -------- d-----w- c:\users\Owner\AppData\Roaming\PrimoPDF
2010-06-12 10:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 10:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-12 10:42 . 2010-06-12 10:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-06-12 10:16 . 2007-02-28 04:57 -------- d-----w- c:\programdata\Microsoft Help
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-06-12 03:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-06-11 15:44 . 2010-05-18 22:02 63488 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-11 15:44 . 2010-05-06 17:57 117760 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-11 15:40 . 2010-05-06 17:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\users\Owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-05-31 23:34 . 2010-06-12 04:29 702120 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-05-31 23:34 . 2010-06-12 04:29 868456 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-05-27 21:25 . 2010-04-14 03:02 -------- d-----w- c:\programdata\NOS
2010-05-25 00:50 . 2008-11-30 22:40 -------- d-----w- c:\users\Owner\AppData\Roaming\gtk-2.0
2010-05-21 21:14 . 2009-11-19 05:55 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-10 07:09 . 2010-05-10 07:09 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-06 21:59 . 2010-05-06 21:59 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2010-05-06 21:59 . 2010-05-06 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 18:22 . 2010-04-26 18:22 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-14 16:47 . 2010-05-06 18:08 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-05-06 18:08 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-05-06 18:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-05-06 18:12 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-05-06 18:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-05-06 18:12 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-14 16:31 . 2010-05-06 18:12 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-29 15:53 . 2010-04-14 03:01 32576 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 15:53 . 2010-04-14 03:01 29984 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Windows Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"MRC"="c:\program files\PC Tune-Up\PCTuneUp.exe" [2009-10-06 2960704]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"HostManager"="c:\program files\Common Files\AOL\1176845002\ee\AOLSoftware.exe" [2006-09-26 50736]
"WordPerfect Office 1215"="c:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG Spirit\AGRemind.exe [2009-5-13 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:b7,46,86,fe,e2,09,cb,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3175163142-518575465-1637216730-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3175163142-518575465-1637216730-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3175163142-518575465-1637216730-500]
"EnableNotificationsRef"=dword:00000002

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2008-11-06 582992]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-31 67656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2009-09-02 78104]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\DRIVERS\RTL85n86.sys [2006-11-02 311808]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://air1.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://www.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://www.playfirst.com/play/game/trijinx/TriJinx.1.0.0.86.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.playfirst.com/play/game/dreamchronicles/dreamweb.1.0.0.9.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://air1.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\wt0sdoxr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ZoneAlarm Extreme Security - c:\program files\Zone Labs\ZoneAlarm\zauninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 13:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-06-22 13:29:17
ComboFix-quarantined-files.txt 2010-06-22 20:29
ComboFix2.txt 2010-06-22 15:14
ComboFix3.txt 2010-06-22 06:38

Pre-Run: 57,068,515,328 bytes free
Post-Run: 57,050,206,208 bytes free

- - End Of File - - 8FF6C40D025AB4D981DBC2B107AFD283

By the way, I uninstalled Zonealarm. Why is this saying the Zonealarm anti-virus is there but disabled?

Edited by bcoleinaz, 22 June 2010 - 03:54 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 AM

Posted 22 June 2010 - 04:05 PM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Ask Toolbar <-- not dangerous but unwanted
    iWin Games (remove only) <-- not dangerous but unwanted
    Viewpoint Media Player <-- not dangerous but unwanted
    Java™ SE Runtime Environment 6


    and click on remove

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 June 2010 - 04:10 PM

Viewpoint seems to be part of AOL.
The other computer that I removed it from reinstalled it the first time she ran AOL.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 AM

Posted 22 June 2010 - 04:29 PM

yes viewpoint will get reinstalled if you use AOL

it is not dangerous so leave alone

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 June 2010 - 08:28 PM

MBAM.txt
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4226

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/22/2010 3:22:15 PM
mbam-log-2010-06-22 (15-22-15).txt

Scan type: Quick scan
Objects scanned: 134378
Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------
ESET log (ESET found nothing)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users