Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VISTA+FakeAlert ! GRB Virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 jimmimcsandy

jimmimcsandy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 31 October 2011 - 11:06 AM

Help ! .. normally i can clean most of my problems.. but this one has me stumped

System started acting funny - slow - redirects..
Ran MBAM - 0 Infections
Ran Spybot Search and Destroy - 4 tracking cookies - deleted
Ran COMODO ANTI-Virus - 0 infections
Ran HJT found 2 (no name) /file missings - removed them.. didnt see anything else suspicious
Ran Eusing Registry Cleaner - 350 Issues - removed/repaired
Rebooted - still getting re-directs from Google Results - accompanied with ..
random "Internet Explorer has stopped responding... restarting internet explorer" error
messages..
Ran Ms Security Essentials - after UNINSTALLING Comodo AV there are any conflicts ..documented or otherwise ..found -4 infections - all TrojanDownLoader-WiMAD.AZ
REBOOTED STILL got.. Hi-Jacked/Redirected :(

RAN ESET's ONLINE SCANNER - 192,316 files scanned - 0 infections
Downloaded and Ran GMer - No Problems / No Rootkits found
DID A LITTLE MORE INTERNET RESEARCH.. Found STINGER ..off a mcAfee link.. site..
Downloaded and installed it.. RAN IT..
:) YAY it found 3 infections
C:\programdata\~1KALMIG2KB7FZPR (FakeAlert!GBR Virus)
C:\programdata\1KALMIG2KB7FZPR (FakeAlert!GBR Virus)
C:\programdata\~1KALMIG2KB7FZP (without the "R".. possibly mutating? ) (FakeAlert!GBR Trojan)

reported as deleted (action taken automatically by stinger)

Rebooted .. STILL GOT.. redirected :(
Went into SAFE MODE.. WITH NETWORKING
RAN STINGER AGAIN.. this time with VERY HIGH Sensitivity on - 341,321 files scanned
0 infections found

...and PLEASE.. don't JUMP ON ME.. I know what I did mayyy be RECKLESS?

Downloaded and RAN - COMBOFIX (..under a different name in case Viri / Trojans looking
for it by name..) 123456fx.exe and/or 1234567fx.exe
COMBOFIX found 9 infections..
c:\programdata\1KALMiG2KB7Fzp.exe
c:\programdata\csy5mkjxqryun.exe
c:\programdata\ntuser.dat
c:\users\scott\applicationdata\Roaming\Microsoft\Windows\startmenu\programs\system Restore
c:\users\scott\applicationdata\Roaming\Microsoft\Windows\startmenu\programs\system Restore\system Restore.LNK
c:\users\scott\applicationdata\Roaming\Microsoft\Windows\startmenu\programs\system Restore\uninstall system Restore.LNK
c:\users\scott\goToAssistDownLoadHelper.exe
c:\Windows\smdata32a.sys
c:\Windows\smdata32m.sys
+ 4 Orphans... and.. in the Rootkit section.. 0 rootkits.. but.. there was also.. "detected NTDLL code modification ZwClose"

YET on reboot into NORMAL MODE... Re-Directs.. STILL happening :(

I'm FRuStRaTeD... and now.. gracefully BOW..before the GEEK Gods (at Bleeping Computer.com)
..ask for MERCY..

and .. provide.. a peace-offering of.. current HJT Log..the OTL "Extras.txt" and "OTL.txt" files
...SCAN ONLY.. with "EVERYTHING" set to ALL (including ALL USERS)
..however did not set LOP or PURITYCHECK to on..

OTL Extras logfile created on: 31/10/2011 10:42:05 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Scott\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 2.38 Gb Available Physical Memory | 73.36% Memory free
6.67 Gb Paging File | 5.60 Gb Available in Paging File | 83.99% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.71 Gb Total Space | 310.36 Gb Free Space | 68.11% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.77 Gb Free Space | 57.66% Space Free | Partition Type: NTFS

Computer Name: SCOTT-PC | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\Windows\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe C:\Windows\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01E10733-4AC9-40A2-8371-F074EAF97AF1}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{024A7AFA-18D7-4C5C-B516-12728C04F8F0}" = protocol=17 | dir=in | app=c:\windows\system32\dlbxcoms.exe |
"{0D284825-62F6-4555-8E73-5D871C64BF34}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{11DE524A-77CA-4185-9743-9D3F6D7AF4DD}" = protocol=17 | dir=in | app=c:\program files\lexmark 3600-4600 series\lxdxamon.exe |
"{12599FAA-DAAE-4C4B-B496-4C55301B1653}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxwbgw.exe |
"{20491CE3-C9C3-4E53-8691-3368D473ED48}" = protocol=6 | dir=in | app=c:\program files\lexmark 3600-4600 series\lxdxmon.exe |
"{2B7D6C25-1A1D-4FCA-8F1A-313958D8E55C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{335C6924-D98F-4240-A3D4-FF28063B6CAB}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxpswx.exe |
"{373B2026-3724-402F-95EB-5F06436C5E7F}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{393C3398-276F-41EB-910F-23B0E8CBDD7E}" = protocol=6 | dir=in | app=c:\program files\lexmark 3600-4600 series\frun.exe |
"{4CE6C5F3-C050-456D-B452-17778D426D57}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxwbgw.exe |
"{51E2A61E-4E11-429F-B1AB-3ADAA2631A72}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5CD4CACE-DE1F-45ED-8053-1E407DA2FD3D}" = protocol=6 | dir=in | app=c:\windows\system32\dlbxcoms.exe |
"{64F94E04-46D7-4CCD-9389-F935BF4795FB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{66205CD3-622A-417A-ADAD-5471D8528BF9}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{6964164B-EEC5-4559-B9CB-B7618C8EDD50}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxjswx.exe |
"{742B35A2-3772-4184-99DE-45BD2B1B24EF}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxpswx.exe |
"{77A2F67E-B6F3-49FB-A042-4614799D43C9}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{8359EAEE-CB35-483D-A1A7-3B9D4B81C1B2}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxtime.exe |
"{8CCBF3DD-A3B6-4CEB-97C9-9CDFF816339D}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxtime.exe |
"{9291A277-FC2C-43E7-9F43-B984FE407EC6}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{958D00A1-A972-4857-B7D6-BCAC214023CA}" = protocol=17 | dir=in | app=c:\windows\system32\lxdxcoms.exe |
"{9A3CC83E-3DF1-4622-A647-C879D1514AB7}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A4DE552B-E577-4A8A-A534-9AE79B6A9C59}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdxjswx.exe |
"{A6A14AE2-6FC8-4FBB-9972-9E67ABF5FEEF}" = protocol=6 | dir=in | app=c:\windows\system32\lxdxcoms.exe |
"{AA2F6893-9B7C-4B16-8071-E2DBAF622DFF}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{AAFE5367-AD0D-4531-A314-435D3A6ED62A}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{C549497B-C570-45BE-8924-B917A88A0BC8}" = protocol=6 | dir=in | app=c:\program files\lexmark 3600-4600 series\lxdxamon.exe |
"{DC6FB3DA-8072-4020-8B99-9FC4136CE5C1}" = protocol=17 | dir=in | app=c:\program files\lexmark 3600-4600 series\lxdxmon.exe |
"{DEDF9AA5-B38A-47F2-A573-1F886879F840}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{F20506EA-9CCA-4A2B-8230-5E04F92450BB}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{F99BA107-AD57-423E-A938-012F7CE7EE5E}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{FDDB4F11-2530-4664-8FEE-A5773876CEFC}" = protocol=17 | dir=in | app=c:\program files\lexmark 3600-4600 series\frun.exe |
"TCP Query User{A9EDAF33-D9F0-402E-96C5-3F0A4B62D0C9}C:\program files\lexmark 3600-4600 series\lxdxmon.exe" = protocol=6 | dir=in | app=c:\program files\lexmark 3600-4600 series\lxdxmon.exe |
"UDP Query User{4F2B112F-8717-4883-A55E-9563C8A197BB}C:\program files\lexmark 3600-4600 series\lxdxmon.exe" = protocol=17 | dir=in | app=c:\program files\lexmark 3600-4600 series\lxdxmon.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{1E5E2F9A-17D3-45CA-8FF0-B0C2927D4B03}" = MobileMe Control Panel
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}" = Dell DataSafe Online
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3A2AD071-AABD-4712-A43E-11D06BAA661D}" = ImageMixer 3 SE Ver.6 Transfer Utility
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4EAB2511-0135-48CA-A47B-CE1E6836793A}" = COMODO Internet Security
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{62CA119E-C5A7-42FC-85E8-4B55AA9E4072}" = ImageMixer 3 SE Ver.6 Video Tools
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.11.0
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B9512176-39DE-7B41-BC9C-03D6E73F0224}" = Pixtorio Viewer
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 PCI V.92 Modem
"com.inm.fusion.PixtorioViewer.744790F1545733D757EA034B675902690507C2E8.1" = Pixtorio Viewer
"Defraggler" = Defraggler
"ESET Online Scanner" = ESET Online Scanner v3
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"ExamView Player" = ExamView Player
"ExamView Pro" = ExamView Pro
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.6.5 Full
"Lexmark 3600-4600 Series" = Lexmark 3600-4600 Series
"LimeWire" = LimeWire 5.3.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Photo Viewer" = Photo Viewer V208G2
"PROSetDX" = Intel® PRO Network Connections 12.1.11.0
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/08/2010 8:39:41 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 17/08/2010 9:41:45 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 18/08/2010 7:02:41 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 18/08/2010 9:41:05 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 24/08/2010 9:30:21 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 27/08/2010 8:31:39 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28/08/2010 8:11:32 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28/08/2010 8:32:05 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 06/09/2010 11:19:20 AM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 06/09/2010 11:24:11 AM | Computer Name = Scott-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 29/03/2009 1:34:10 PM | Computer Name = Scott-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 09/06/2009 7:34:42 AM | Computer Name = Scott-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 30/10/2011 1:03:52 PM | Computer Name = Scott-PC | Source = Microsoft Antimalware | ID = 5101
Description = %%860 grace period has expired. Protection against viruses, spyware,
and other potentially unwanted software is disabled. Expiration Reason: %%873 Expiration
Date (UTC): ? Error Code: 0x80092003 Error Description: An error occurred while reading
or writing to a file.

Error - 30/10/2011 1:03:54 PM | Computer Name = Scott-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 30/10/2011 1:40:00 PM | Computer Name = Scott-PC | Source = Microsoft Antimalware | ID = 5101
Description = %%860 grace period has expired. Protection against viruses, spyware,
and other potentially unwanted software is disabled. Expiration Reason: %%873 Expiration
Date (UTC): ? Error Code: 0x80092003 Error Description: An error occurred while reading
or writing to a file.

Error - 30/10/2011 1:40:04 PM | Computer Name = Scott-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 30/10/2011 1:42:01 PM | Computer Name = Scott-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 31/10/2011 3:01:19 AM | Computer Name = Scott-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 31/10/2011 3:16:52 AM | Computer Name = Scott-PC | Source = DCOM | ID = 10010
Description =

Error - 31/10/2011 3:18:46 AM | Computer Name = Scott-PC | Source = Microsoft Antimalware | ID = 5101
Description = %%860 grace period has expired. Protection against viruses, spyware,
and other potentially unwanted software is disabled. Expiration Reason: %%873 Expiration
Date (UTC): ? Error Code: 0x80092003 Error Description: An error occurred while reading
or writing to a file.

Error - 31/10/2011 3:19:04 AM | Computer Name = Scott-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 31/10/2011 8:21:31 AM | Computer Name = Scott-PC | Source = Service Control Manager | ID = 7034
Description =


< End of report >



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:24 AM, on 31/10/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\T2G-ProtectionSuite\Comodo\Comodo Internet Security\cfp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Scott\Desktop\OTL.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\T2G-ProtectionSuite\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://express.rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\T2G-ProtectionSuite\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor Ver.6.lnk = C:\Program Files\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra 'Tools' menuitem: Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - AppInit_DLLs: C:\Windows\System32\guard32.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\T2G-ProtectionSuite\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: dlbx_device - - C:\Windows\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\T2G-ProtectionSuite\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7337 bytes

HELP... i admit defeat, I know i should upgrade to IE8 as well..but will WAIT for your advice.. before going any further.. Thank You.. (in Advance) - JimmiMcSandy

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:59 AM

Posted 04 November 2011 - 09:36 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:59 AM

Posted 07 November 2011 - 01:59 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 jimmimcsandy

jimmimcsandy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 07 November 2011 - 10:00 AM

Hey Gringo.. - thank you for getting back to me.. sorry i didn't reply sooner.. - i can tell from reading.. your's and other techs responses that you are TRULY Passionate about what you do..

AND as much as i kept reading the recurring message .. "please be patient"... - around 6:46pm Friday night.. :( i had discovered 3 things.. - 1) most of my infections were gone.... 2) my IE7 could not be upgraded to IE8 or IE9. .. NOR rolled back to IE6 to allow fresh install of 7, 8 or 9... ...because... 3) i needed SP1 and SP2 installed :( and neither of them would install.. cause.. upon further investigation.. the ipmon.ini file was corrupted both in the operating system and in the "source store" (ie: similar to the compressed cab files of i386 folder of xp) ..and that was just ONE of.. who knows.. how many files..

So.. :( I said.. screw it.. After being dead in the water.. for.. 5 days.. my wallet was taking a beating.. (loss of income) ..and i backed off my data.. reformatted.. and re-installed.. :) alll working very VERY WELL NOW :)

But i DOOOOO THANK YOU .. (and apologize for not getting back to you sooner)... i didnt get you email.. until about 11:30.. Friday night.. about 4 hours after you sent it.. - but by then your suggestions were too late. I spend all of saturday re-installing my software... and downloading 167 microsoft critical updates.. and 6 reboots.. in between..

sincerely.. "jimmi"

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:59 AM

Posted 07 November 2011 - 12:31 PM

Hello


Sorry we could not get to you sooner (as you can see we get quite busy) sometimes the easiest ,fastest and safest thing to do is to reinstall

I am happy all is working and very happy you did come by and let us know



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:59 AM

Posted 10 November 2011 - 12:00 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users