Jump to content


Photo
- - - - -

Malwarebytes Hijackthis Spybot and even Rootrepeal won't run


  • This topic is locked This topic is locked
19 replies to this topic

#1 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 06 September 2009 - 12:27 PM

Wow! Whatever I got is a piece of work this malware must be! The following either won't load or get interrupted and disappear midscan:

Malwarebytes
Spybot
Hijackthis and even
Rootrepeal
Combofix as combo-fix.exe on the desktop also will not run

hey, "who are those guys?"

The system has Avira Premium Security Suite and it blocks outgoing packets and attempts by msa.exe and b.exe to access the internet. However a full scan including rootkits done by the Avira program reveals no problem. Avira seems to scan fine, it just doesn't find anything to remove.

I do have an uninfected computer on which I am running now and writing from. I can transfer programs via USB flashdrive-- and my infected computer can boot from one. I have a 2GB flashdrive and can borrow a 16GB one if that helps. The system has a CD/DVD drive. My uninfected system burns CD's but not DVD's.

Thanks to your forum, I did install the console prior to this infestation and can access it at startup. However even though I downloaded combofix to the desktop as "combo-fix" it also will not run past the first display or so.

The system is a Core 2 Duo running WinXP SP/3 with most of the updates done but maybe not the last week's or so.

I tried updating Spybot which worked and now it shows up in the task bar again however it won't come up. It did detect msa.exe on one startup (a few restarts ago) and offered to delete it which I accepted. Now, msa.exe no longer shows up in the running processes list on Task Manager. However b.exe is still present. Teatimer is in the list of running processes.

I'd appreciate (you have no idea how much) any help you can provide in removing this persistent pest. And I will be delighted to contribute (again) to your excellent efforts. I'd also appreciate if you know, if this is could be a password stealer or other identity theft risk in which case, I will use the other computer to change banking passwords.

Again thanks for all the good you guys do! I'll watch here for replies.

#2 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 06 September 2009 - 12:49 PM

Hello,

Excellent notes on your part. Let's start with some things .
#1 Disable and keep disabled Tea Timer, otherwise it will revert any fixes we make during cleanups.
Right click the Spybot Icon (blue icon with lock Posted Image) in the system tray (notification area).
  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.


Next, Start with this and on the next round, we'll begin actual cleanups:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe and really try to Rename it ALPHA.exe

IF unable to download it, use another pc to download and then transfer it to the DESKTOP

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here


  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#3 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 06 September 2009 - 01:18 PM

Hi and thank you for the prompt reply.

I have a question about Avira Premium Security Suite. I can uncheck the various scan options but I can not shut it off completely and it still asks for various permissions. I don't mind uninstalling it if that would be better-- please advise.

Prior to your reply, I ran Combofix again as Combo-fix.exe and it ran and updated itself. It then provided the following log which I am adding here in case it changes your instructions. I apologize for jumping the gun but I thought Combofix wasn't running because the blue screen was on for quite a while -- or maybe it started running at some point. In any case, I thought it better to hold off following the previous instructions and let you know about this log. I regret the inconvenience and incompleteness of the first post!



*-------

ComboFix 09-09-06.02 - user1 09/06/2009 10:44.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1603 [GMT -7:00]
Running from: c:\documents and settings\user1\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\HOLUX
c:\documents and settings\All Users\Start Menu\Programs\HOLUX \GpsViewer.lnk
c:\documents and settings\user1\Application Data\inst.exe
C:\install.exe
c:\windows\Installer\4e340b3.msi
c:\windows\Installer\50887c3.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\UA000019.DLL
c:\windows\UA000079.DLL
c:\windows\UA000106.DLL

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 15:52 . 2009-09-06 15:52 -------- d-----w- c:\program files\GiPo@Utilities
2009-09-06 15:52 . 2009-09-06 15:52 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-06 07:08 . 2009-09-06 07:08 -------- d-----w- c:\documents and settings\user1\Application Data\Avira
2009-09-06 06:59 . 2009-05-08 21:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys
2009-09-06 06:59 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-06 06:59 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-06 06:59 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-06 06:59 . 2009-02-24 20:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys
2009-09-06 06:59 . 2009-09-06 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-06 06:59 . 2009-09-06 06:59 -------- d-----w- c:\program files\Avira
2009-09-06 06:40 . 2009-09-06 06:40 -------- d-----w- c:\program files\ESET
2009-09-05 22:28 . 2009-09-05 22:28 -------- d-----w- c:\program files\CMS Products
2009-09-05 22:28 . 2007-08-31 19:39 10240 ----a-w- c:\windows\system32\drivers\portd64.sys
2009-09-05 22:21 . 2008-01-02 16:35 35520 ----a-w- c:\windows\system32\BBUninstall.exe
2009-09-05 22:21 . 2009-09-05 22:21 -------- d-----w- c:\documents and settings\user1\Application Data\InstallShield Installation Information
2009-08-27 06:28 . 2009-08-27 06:29 -------- d-----w- c:\program files\MapExplorer
2009-08-27 06:20 . 2009-08-27 06:20 -------- d-----w- c:\documents and settings\user1\Application Data\GARMIN
2009-08-26 00:22 . 2003-09-22 23:01 11520 ------w- c:\windows\system32\drivers\WDMSTUB.sys
2009-08-25 23:43 . 2007-03-08 22:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys
2009-08-25 23:43 . 2007-03-08 22:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys
2009-08-25 23:41 . 2009-08-27 06:17 -------- d-----w- C:\Garmin
2009-08-15 20:36 . 2009-08-15 20:36 -------- d-----w- c:\program files\Seagate
2009-08-15 20:36 . 2009-08-15 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-08-15 20:34 . 2009-08-15 20:34 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\Downloaded Installations
2009-08-15 20:33 . 2009-08-15 20:33 -------- d-----w- c:\documents and settings\user1\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 16:42 . 2008-12-18 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 16:22 . 2006-12-31 21:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-06 06:53 . 2007-01-03 16:22 -------- d-----w- c:\program files\Powermarks 3.5
2009-09-04 21:54 . 2007-01-03 08:24 -------- d-----w- c:\program files\Google
2009-09-04 20:18 . 2007-10-08 20:38 -------- d-----w- c:\program files\Olympus
2009-09-04 20:18 . 2006-12-13 02:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 23:38 . 2007-02-19 14:19 -------- d-----w- c:\program files\MpcStar
2009-08-27 05:46 . 2007-02-11 01:29 -------- d-----w- c:\program files\BitComet
2009-08-22 13:14 . 2008-08-30 18:47 -------- d-----w- c:\program files\MediaCoder
2009-08-17 22:50 . 2007-08-09 01:10 -------- d-----w- c:\documents and settings\user1\Application Data\Canon
2009-08-17 07:18 . 2007-03-15 03:13 -------- d-----w- c:\program files\Zoom Player
2009-08-03 20:36 . 2008-12-18 17:34 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2008-12-18 17:34 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 23:33 . 2009-05-03 20:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 05:26 . 2007-06-14 06:17 -------- d-----w- c:\program files\URLToysPerlSA
2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 04:27 . 2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2004-10-27 61952]

c:\documents and settings\user1\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Server\BBStartup.exe [2009-9-5 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 19:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART-ER.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART-ER.lnk
backup=c:\windows\pss\SMART-ER.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=c:\documents and settings\user1\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=c:\windows\pss\Secunia PSI (RC1).lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvupdate.exe"=
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvflashw.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EtiVoServer\\EtiVoSrv.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\G-VGA.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVHarmony\\AutoPilot.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26233:TCP"= 26233:TCP:*:Disabled:BitComet 26233 TCP
"26233:UDP"= 26233:UDP:*:Disabled:BitComet 26233 UDP
"7329:TCP"= 7329:TCP:BitComet 7329 TCP
"7329:UDP"= 7329:UDP:BitComet 7329 UDP
"2190:UDP"= 2190:UDP:*:Disabled:HMO
"2190:TCP"= 2190:TCP:*:Disabled:HMO
"8081:TCP"= 8081:TCP:*:Disabled:HMO

R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\system32\drivers\ezgmntr.sys [12/20/2006 8:38 PM 213760]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [9/5/2009 11:59 PM 97608]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [9/5/2009 11:59 PM 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [9/5/2009 11:59 PM 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/5/2009 11:59 PM 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [9/5/2009 11:59 PM 434945]
R2 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Server\BBWatcherService.exe [9/5/2009 3:28 PM 36864]
R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\system32\drivers\ezgfsfilt.sys [12/20/2006 8:38 PM 28800]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [3/27/2009 3:54 PM 165160]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [9/5/2009 11:59 PM 69632]
S2 gupdate1c9bd2f6accc6cc;Google Update Service (gupdate1c9bd2f6accc6cc);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 11:32 AM 133104]
S3 EtiVoServer;EtiVoServer;c:\program files\EtiVoServer\EtiVoSrv.exe [9/8/2005 11:09 PM 24576]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2/19/2008 1:24 AM 7808]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/15/2008 8:25 AM 747912]
S4 GPCIDrv;GPCIDrv;c:\windows\GPCIDrv.sys [11/8/2008 1:49 PM 5112]
S4 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [12/30/2006 9:17 AM 17962]
S4 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\user1\LOCALS~1\Temp\TCCpuInfo.sys --> c:\docume~1\user1\LOCALS~1\Temp\TCCpuInfo.sys [?]
S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/9/2008 4:13 PM 868864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 18:32]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download All by FlashGet
IE: Download using FlashGet
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://204.13.252.204:90/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\z4f3xe0j.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 10:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32*]
"oadnadkhjbgegodlmcjnolaelolijn"=hex:6a,61,63,61,68,6b,6e,63,6c,6a,6c,6a,6d,65,
68,68,6e,63,70,70,00,f9
"nadnkcabafnddlccliceghmkmodh"=hex:6a,61,63,61,68,6b,6e,63,6c,6a,6c,6a,6d,65,
68,68,6e,63,70,70,00,f9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(1084)
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\CMS Products\BounceBack Server\BBLauncher.exe
c:\program files\Avira\AntiVir Desktop\usrreq.exe
.
**************************************************************************
.
Completion time: 2009-09-06 11:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 18:07
ComboFix2.txt 2009-01-03 21:06

Pre-Run: 21,244,571,648 bytes free
Post-Run: 21,270,700,032 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
255 --- E O F --- 2008-09-18 18:22

#4 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 06 September 2009 - 01:46 PM

I only have the Avira free edition (on 1 system) and not the Premium version..... but I think you should be able to right-click the Avira icon on system notification area and de-select Avira guard IF it is checked. That ought to de-activate the real time monitor.

Have infinite patience with the Sysclean and Kaspersky scans (below).

You should be able to update MBAM and running it (if not, go on with next steps).
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2748 or later. The latest program version is 1.40

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.


=

Go >> here <<
and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copies of the the latest MBAM scan log
the Rootrepeal.txt
the Sysclean.log
Kaspersky.txt report
.
How is your system now ?

P.S. If possible, copy and paste a copy of Combofix2.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#5 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 07 September 2009 - 12:51 PM

Hi again,

Well... Malwarebytes now runs. I'll post the log below -- I did an uneventful update of it yesterday. Just FYI, I am still unable to delete some of the original malwarebyte files so I reinstalled the program into a folder called malwarebytes2 (under Program Files) and I renamed the exe file to winlogon.exe just in case.

Rootrepeal.exe stops running rapidly with a "blue screen of death". I tried it with all my usual startup items active and also with Spybot, Avira, Gotomypc, and Bounceback (a backup system) deactivated from the task bar at the bottom right of the screen. I did not try deactivating individual processes so presumably Teatimer or other things may have been running. I ran it three times. On one run with the startup programs deactivated as above, Rootrepeal gave an error message in a box before the screen went blue. I could probably capture that with a camera and type it in if it would help. It stayed up too short a time to read. Two of the runs with the programs inactivated didn't get very far. The third (with the above programs active) ran for a short time and scanned a few dozen files before it went "bloooey!" It may help to know I use an Asus PN5SLI mother board which is quite fussy. I am not overclocking it. It complained after the third blue screen event during the cold restart, went to its own "safe mode" but restarted OK without problems or other error messages when I pressed F1 to continue.

I'm happy to uninstall ALL the antiviral stuff-- Avira and Spybot and anything else you'd like removed and I can make an image backup of the hard drive and work on that so my data will be preserved. Just let me know if that's the best way to go. If so, it may be a day or two before I can continue with your instructions.

Here's the Malwarebytes log from yesterday. Did you want another Combofix log? I did not attempt the additional steps you specified after Rootrepeal would not run.

*-------

Malwarebytes' Anti-Malware 1.40
Database version: 2750
Windows 5.1.2600 Service Pack 3

9/7/2009 12:58:50 AM
mbam-log-2009-09-07 (00-58-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 516240
Time elapsed: 4 hour(s), 18 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user1\Desktop\Temporary Programs\System utilities\benchmarks\super_pi\super_pi_mod-1.5\super_pi_mod.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.

*-------

Superpi is infected? I've had that download for a long time-- way before the current problem started! Anyway, I allowed Malwarebytes to remove it.


I'm sure you know how much all this assistance is appreciated!

M.Y.

#6 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 07 September 2009 - 01:56 PM

Hello M.Y.

2 issues I want to address: #1 Do not run Combofix on your own. Don't run anything else on your own, unless I ask you to.
This is a must so we can rule out confusion & conflicts & a possible non-working Windows install.

#2. You stated

so I reinstalled the program into a folder called malwarebytes2 (under Program Files) and I renamed the exe file to winlogon.exe just in case.

Do you & I a favor. Go back and un-name back to normal the MBAM exe
I am not fan of renaming anything as winlogon.
And as to a second setup of MBAM it is not desired.

Let me review your recent logs and get back with you for further steps. As I say, don't make changes or additions to the system, nor do anything on your own with consulting here, please. I like to avoid complications.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#7 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 07 September 2009 - 02:09 PM

Since RootRepeal is giving fits, let's set that aside. I need for you to proceed (as per my earlier reply) to get and run
SYSCLEAN & do
Kaspersky scan

After those 2 are done, then let's get & run GMER
Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================


Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt"
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt"
  • Save it where you can easily find it, such as your desktop.
=

When done, reply with copy of
Sysclean.log
Kaspersky scan log
the GMER.txt
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#8 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 08 September 2009 - 05:38 PM

Hi.

Sorry about the apparently independent actions -- they took place between the time I first posted and your first reply and the renaming idea came from a sticky set of instructions elsewhere in the forum. I ran Combofix at the same time to see if it would run instead of being terminated by whatever malware I had. I did not mean to increase your workload! Won't happen again.

Trend Micro ran fine until the end at which time, I am guessing it did a reboot which probably re-activates Avira Premium Security Suite whose scanners had been turned off-- anyway the Trend Micro program stopped with a message from Avira: "SSAPI command line scanner. This application is trying to execute code in another process (explorer.exe)-- Allow/Deny." I allowed and Trend Micro continued and terminated, apparently normally. The log display from inside the Trend Micro scanner isn't copyable as text. Transcribing it manually from a screen image, the next to last entry is "Scanner C:\DEC\TSC.bin has finished running." Next line says "TSC Log:" and the last line consists of what looks like 3 characters. The first is a "y" with two dots over it, the second looks like a p overwritten with an L and the last is a D.

The files report.log and sysclean.log exist and can be loaded into Notepad and read as text. Would you like me to post either or both? sysclean.log is fairly brief but report.log is quite lengthy, a 135KB file.

I then tried to run Kaspersky's web scan as directed. First I updated Java as requested. I made sure Avira was as much OFF as I can make it (all scanners unchecked) and I disabled Spybot. Kaspersky started to load but terminated with the error: "Launch of the JACA application is interrupted. Please establish an interrupted Internet connection for work with this program." The only other thing I can think of to tell you is that no programs are running that I was able to disable from taskbars and the only other thing is that some Windows updates are pending and the Windows shield icon is on the task bar. My browser seems to run fine and the internet connection is from Time Warner cable via a cable modem and a Linksys wifi router however this computer is hard wired to the router via a CAT5 cable. I've had no problems with the internet connection recently.

I did not run the last program you requested nor post the Trend Micro logs pending your further directions. If you'd like me to uninstall Avira, I'll be happy to. Shall I allow Windows update to run at this time?



Thanks and again, sorry for the previous inconvenience.

M. Y.

#9 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 08 September 2009 - 09:28 PM

Yes, accept the Windows Updates and apply them. If prompted to reboot, do it at that time.

At your next chance, Copy and Paste here in reply the contents of Sysclean.log
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#10 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 09 September 2009 - 01:51 AM

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-09-08, 00:03:20, Auto-clean mode specified.
2009-09-08, 00:03:20, Initialized Rootkit Driver version 1.6.0.1059.
2009-09-08, 00:03:20, Running scanner "C:\dce\TSC.BIN"...
2009-09-08, 00:03:24, Scanner "C:\dce\TSC.BIN" has finished running.
2009-09-08, 00:03:24, TSC Log:

D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : V e r s i o n i s t o o o l d , 1 . 6 . 0 - 1 0 5 9 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : T u e S e p 0 8 2 0 0 9 0 0 : 0 3 : 2 0





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ d c e \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ d c e \ t s c . p t n " ( v e r s i o n 1 0 5 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : T u e S e p 0 8 2 0 0 9 0 0 : 0 3 : 2 4


E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-09-08, 00:03:24, Running scanner "C:\dce\VSCANTM.BIN"...
2009-09-08, 05:45:34, Scanner "C:\dce\VSCANTM.BIN" has finished running.
2009-09-08, 05:45:34, VSCANTM Log:

2009-09-08, 05:45:34, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/8/2009 00:03:25
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 425 (466438/466438 Patterns) (2009/09/07) (642500)

Command Line: C:\dce\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\dce\lpt$vpn.425

C:\Documents and Settings\user1\Desktop\temporary data\test zzz web oages\AVS Video Tools 5.6.1.715.rar (2/6 Viruses Found)
C:\Documents and Settings\user1\Desktop\temporary data\test zzz web oages\programs\AVS Video Converter v6.2.4.330 + Crack [RH]\AVS.VC.6.2.4.330_[RH]\AVS Video Converter v6.2.4.330\Crack\AVSVideoConverter.exe [TSPY_STEAM.BN]
C:\Program Files\AVS4YOU\AVSVideoConverter6\AVSVideoConverter.exe [TSPY_STEAM.BN]
630234 files have been read.
630234 files have been checked.
630188 files have been scanned.
971792 files have been scanned. (including files in archived)
3 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/8/2009 05:45:34 5 hours 42 minutes 8 seconds (20528.11 seconds) has elapsed.(32.572 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-08, 05:45:34, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/8/2009 00:03:25
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 425 (466438/466438 Patterns) (2009/09/07) (642500)

Command Line: C:\dce\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\dce\lpt$vpn.425

630234 files have been read.
630234 files have been checked.
630188 files have been scanned.
971792 files have been scanned. (including files in archived)
3 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/8/2009 05:45:34 5 hours 42 minutes 8 seconds (20528.11 seconds) has elapsed.(32.572 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-08, 05:45:34, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/8/2009 00:03:25
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 425 (466438/466438 Patterns) (2009/09/07) (642500)

Command Line: C:\dce\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\dce\lpt$vpn.425

630234 files have been read.
630234 files have been checked.
630188 files have been scanned.
971792 files have been scanned. (including files in archived)
3 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/8/2009 05:45:34 5 hours 42 minutes 8 seconds (20528.11 seconds) has elapsed.(32.572 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-08, 05:45:34, Running SSAPI scanner ""...
2009-09-08, 09:11:56, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 8.19
SSAPI Anti-Rootkit Version: 1.6.0.1059

Spyware Scan Started: 09/08/2009 05:45:36


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\122.2o7.net,Cookie:user1@122.2o7.net/,C:\Documents and Settings\user1\Cookies\user1@122.2o7[1].txt
[CLEAN SUCCESS][Cookie_RealMedia] Internet Explorer Cache\247realmedia.com,Cookie:user1@247realmedia.com/,C:\Documents and Settings\user1\Cookies\user1@247realmedia[1].txt
[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\2o7.net,Cookie:user1@2o7.net/,C:\Documents and Settings\user1\Cookies\user1@2o7[1].txt
[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\2o7.net,Cookie:user1@2o7.net/,C:\Documents and Settings\user1\Cookies\user1@2o7[2].txt
[CLEAN SUCCESS][Cookie_WebSponsors] Internet Explorer Cache\a.websponsors.com,Cookie:user1@a.websponsors.com/,C:\Documents and Settings\user1\Cookies\user1@a.websponsors[1].txt
[CLEAN SUCCESS][Cookie_About] Internet Explorer Cache\about.com,Cookie:user1@about.com/,C:\Documents and Settings\user1\Cookies\user1@about[2].txt
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:user1@ad.yieldmanager.com/,C:\Documents and Settings\user1\Cookies\user1@ad.yieldmanager[1].txt
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:user1@ad.yieldmanager.com/,C:\Documents and Settings\user1\Cookies\user1@ad.yieldmanager[2].txt
[CLEAN SUCCESS][Cookie_Zanox] Internet Explorer Cache\ad.zanox.com,Cookie:user1@ad.zanox.com/,C:\Documents and Settings\user1\Cookies\user1@ad.zanox[2].txt
[CLEAN SUCCESS][Cookie_AdBureau] Internet Explorer Cache\adbureau.net,Cookie:user1@adbureau.net/,C:\Documents and Settings\user1\Cookies\user1@adbureau[1].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:user1@adopt.specificclick.net/,C:\Documents and Settings\user1\Cookies\user1@adopt.specificclick[1].txt
[CLEAN SUCCESS][Cookie_AdDynamix] Internet Explorer Cache\ads.addynamix.com,Cookie:user1@ads.addynamix.com/,C:\Documents and Settings\user1\Cookies\user1@ads.addynamix[1].txt
[CLEAN SUCCESS][Cookie_AdDynamix] Internet Explorer Cache\ads.addynamix.com,Cookie:user1@ads.addynamix.com/,C:\Documents and Settings\user1\Cookies\user1@ads.addynamix[1].txt
[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:user1@ads.pointroll.com/,C:\Documents and Settings\user1\Cookies\user1@ads.pointroll[1].txt
[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:user1@ads.pointroll.com/,C:\Documents and Settings\user1\Cookies\user1@ads.pointroll[2].txt
[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:user1@ads.pointroll.com/,C:\Documents and Settings\user1\Cookies\user1@ads.pointroll[3].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\adtech.de,Cookie:user1@adtech.de/,C:\Documents and Settings\user1\Cookies\user1@adtech[2].txt
[CLEAN SUCCESS][Cookie_AdultFriendFinder] Internet Explorer Cache\adultfriendfinder.com,Cookie:user1@adultfriendfinder.com/,C:\Documents and Settings\user1\Cookies\user1@adultfriendfinder[1].txt
[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:user1@advertising.com/,C:\Documents and Settings\user1\Cookies\user1@advertising[1].txt
[CLEAN SUCCESS][Cookie_Alexa] Internet Explorer Cache\alexa.com,Cookie:user1@alexa.com/,C:\Documents and Settings\user1\Cookies\user1@alexa[2].txt
[CLEAN SUCCESS][Cookie_Ask] Internet Explorer Cache\ask.com,Cookie:user1@ask.com/,C:\Documents and Settings\user1\Cookies\user1@ask[1].txt
[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:user1@atdmt.com/,C:\Documents and Settings\user1\Cookies\user1@atdmt[2].txt
[CLEAN SUCCESS][Cookie_Atwola] Internet Explorer Cache\atwola.com,Cookie:user1@atwola.com/,C:\Documents and Settings\user1\Cookies\user1@atwola[1].txt
[CLEAN SUCCESS][Cookie_Atwola] Internet Explorer Cache\atwola.com,Cookie:user1@atwola.com/,C:\Documents and Settings\user1\Cookies\user1@atwola[2].txt
[CLEAN SUCCESS][Cookie_Azjmp] Internet Explorer Cache\azjmp.com,Cookie:user1@azjmp.com/,C:\Documents and Settings\user1\Cookies\user1@azjmp[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\bravenet.com,Cookie:user1@bravenet.com/,C:\Documents and Settings\user1\Cookies\user1@bravenet[1].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/83895718,C:\Documents and Settings\user1\Cookies\user1@CA1GTUMQ.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/34292599,C:\Documents and Settings\user1\Cookies\user1@CA2HFB7I.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/87318940,C:\Documents and Settings\user1\Cookies\user1@CA39ITX8.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/64718533,C:\Documents and Settings\user1\Cookies\user1@CA81XI1Z.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/12511569,C:\Documents and Settings\user1\Cookies\user1@CA98RWUX.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/25102549,C:\Documents and Settings\user1\Cookies\user1@CA9AUSQH.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/78132904,C:\Documents and Settings\user1\Cookies\user1@CA9JNXRQ.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/87503916,C:\Documents and Settings\user1\Cookies\user1@CAC2AUAF.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/66021735,C:\Documents and Settings\user1\Cookies\user1@CAFO1V90.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/34419056,C:\Documents and Settings\user1\Cookies\user1@CAHKI9D0.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/86992609,C:\Documents and Settings\user1\Cookies\user1@CAHS8TN2.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/73335289,C:\Documents and Settings\user1\Cookies\user1@CAHTN6HV.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/24588103,C:\Documents and Settings\user1\Cookies\user1@CAKBU99D.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/10599399,C:\Documents and Settings\user1\Cookies\user1@CAMCGMNZ.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/46159461,C:\Documents and Settings\user1\Cookies\user1@CAN1DUS1.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/31161716,C:\Documents and Settings\user1\Cookies\user1@CATBHO60.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/36295175,C:\Documents and Settings\user1\Cookies\user1@CAUXDJRP.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/19452074,C:\Documents and Settings\user1\Cookies\user1@CAWAUEDM.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/83534169,C:\Documents and Settings\user1\Cookies\user1@CAXS6GN1.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/15358151,C:\Documents and Settings\user1\Cookies\user1@CAY2XLV5.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/64770872,C:\Documents and Settings\user1\Cookies\user1@CAYCJYDV.txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/62503700,C:\Documents and Settings\user1\Cookies\user1@CAZQTOAD.txt
[CLEAN SUCCESS][Cookie_BridgeTrack] Internet Explorer Cache\citi.bridgetrack.com,Cookie:user1@citi.bridgetrack.com/,C:\Documents and Settings\user1\Cookies\user1@citi.bridgetrack[1].txt
[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:user1@com.com/,C:\Documents and Settings\user1\Cookies\user1@com[2].txt
[CLEAN SUCCESS][Cookie_Didit] Internet Explorer Cache\did-it.com,Cookie:user1@did-it.com/,C:\Documents and Settings\user1\Cookies\user1@did-it[2].txt
[CLEAN SUCCESS][Cookie_Ru4] Internet Explorer Cache\edge.ru4.com,Cookie:user1@edge.ru4.com/,C:\Documents and Settings\user1\Cookies\user1@edge.ru4[1].txt
[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\entrepreneur.122.2o7.net,Cookie:user1@entrepreneur.122.2o7.net/,C:\Documents and Settings\user1\Cookies\user1@entrepreneur.122.2o7[1].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\estat.com,Cookie:user1@estat.com/,C:\Documents and Settings\user1\Cookies\user1@estat[1].txt
[CLEAN SUCCESS][Cookie_Go] Internet Explorer Cache\go.com,Cookie:user1@go.com/,C:\Documents and Settings\user1\Cookies\user1@go[1].txt
[CLEAN SUCCESS][Cookie_HumanClick] Internet Explorer Cache\hc2.humanclick.com,Cookie:user1@hc2.humanclick.com/,C:\Documents and Settings\user1\Cookies\user1@hc2.humanclick[1].txt
[CLEAN SUCCESS][Cookie_HumanClick] Internet Explorer Cache\hc2.humanclick.com,Cookie:user1@hc2.humanclick.com/hc/42353038,C:\Documents and Settings\user1\Cookies\user1@hc2.humanclick[3].txt
[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:user1@insightexpressai.com/,C:\Documents and Settings\user1\Cookies\user1@insightexpressai[1].txt
[CLEAN SUCCESS][Cookie_Insightfirst] Internet Explorer Cache\insightfirst.com,Cookie:user1@insightfirst.com/,C:\Documents and Settings\user1\Cookies\user1@insightfirst[2].txt
[CLEAN SUCCESS][Cookie_SiteStat] Internet Explorer Cache\int.sitestat.com,Cookie:user1@int.sitestat.com/financialnews/efinancialnews/,C:\Documents and Settings\user1\Cookies\user1@int.sitestat[1].txt
[CLEAN SUCCESS][Cookie_SiteStat] Internet Explorer Cache\int.sitestat.com,Cookie:user1@int.sitestat.com/financialnews/,C:\Documents and Settings\user1\Cookies\user1@int.sitestat[2].txt
[CLEAN SUCCESS][Cookie_Military] Internet Explorer Cache\military.com,Cookie:user1@military.com/,C:\Documents and Settings\user1\Cookies\user1@military[1].txt
[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\msnportal.112.2o7.net,Cookie:user1@msnportal.112.2o7.net/,C:\Documents and Settings\user1\Cookies\user1@msnportal.112.2o7[1].txt
[CLEAN SUCCESS][Cookie_Overture] Internet Explorer Cache\overture.com,Cookie:user1@overture.com/,C:\Documents and Settings\user1\Cookies\user1@overture[1].txt
[CLEAN SUCCESS][Cookie_Overture] Internet Explorer Cache\perf.overture.com,Cookie:user1@perf.overture.com/,C:\Documents and Settings\user1\Cookies\user1@perf.overture[1].txt
[CLEAN SUCCESS][Cookie_Pro-Market] Internet Explorer Cache\pro-market.net,Cookie:user1@pro-market.net/,C:\Documents and Settings\user1\Cookies\user1@pro-market[1].txt
[CLEAN SUCCESS][Cookie_Qksrv] Internet Explorer Cache\qksrv.net,Cookie:user1@qksrv.net/,C:\Documents and Settings\user1\Cookies\user1@qksrv[1].txt
[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:user1@questionmarket.com/,C:\Documents and Settings\user1\Cookies\user1@questionmarket[1].txt
[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:user1@questionmarket.com/,C:\Documents and Settings\user1\Cookies\user1@questionmarket[2].txt
[CLEAN SUCCESS][Cookie_RealMedia] Internet Explorer Cache\realmedia.com,Cookie:user1@realmedia.com/,C:\Documents and Settings\user1\Cookies\user1@realmedia[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\revenue.net,Cookie:user1@revenue.net/,C:\Documents and Settings\user1\Cookies\user1@revenue[2].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:user1@revsci.net/,C:\Documents and Settings\user1\Cookies\user1@revsci[1].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:user1@revsci.net/,C:\Documents and Settings\user1\Cookies\user1@revsci[3].txt
[CLEAN SUCCESS][Cookie_Roia] Internet Explorer Cache\roia.biz,Cookie:user1@roia.biz/im,C:\Documents and Settings\user1\Cookies\user1@roia[2].txt
[CLEAN SUCCESS][Cookie_Adjuggler] Internet Explorer Cache\rotator.adjuggler.com,Cookie:user1@rotator.adjuggler.com/servlet/ajrotator/584833/,C:\Documents and Settings\user1\Cookies\user1@rotator.adjuggler[2].txt
[CLEAN SUCCESS][Cookie_Adjuggler] Internet Explorer Cache\rotator.adjuggler.com,Cookie:user1@rotator.adjuggler.com/,C:\Documents and Settings\user1\Cookies\user1@rotator.adjuggler[3].txt
[CLEAN SUCCESS][Cookie_Cpmstar] Internet Explorer Cache\server.cpmstar.com,Cookie:user1@server.cpmstar.com/,C:\Documents and Settings\user1\Cookies\user1@server.cpmstar[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/37010162,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[10].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/24036023,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[11].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[1].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/12721834,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/50516889,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[3].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/70833526,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[4].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/11769772,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[5].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/82013505,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[6].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/18766632,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[7].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/63561791,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[8].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user1@server.iad.liveperson.net/hc/16306173,C:\Documents and Settings\user1\Cookies\user1@server.iad.liveperson[9].txt
[CLEAN SUCCESS][Cookie_ServingSys] Internet Explorer Cache\serving-sys.com,Cookie:user1@serving-sys.com/,C:\Documents and Settings\user1\Cookies\user1@serving-sys[2].txt
[CLEAN SUCCESS][Cookie_Softomate] Internet Explorer Cache\soft32.com,Cookie:user1@soft32.com/,C:\Documents and Settings\user1\Cookies\user1@soft32[2].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:user1@specificclick.net/,C:\Documents and Settings\user1\Cookies\user1@specificclick[1].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:user1@specificclick.net/,C:\Documents and Settings\user1\Cookies\user1@specificclick[2].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:user1@specificclick.net/,C:\Documents and Settings\user1\Cookies\user1@specificclick[4].txt
[CLEAN SUCCESS][Cookie_ClickTracks] Internet Explorer Cache\stats1.clicktracks.com,Cookie:user1@stats1.clicktracks.com/,C:\Documents and Settings\user1\Cookies\user1@stats1.clicktracks[1].txt
[CLEAN SUCCESS][Cookie_SuperStats] Internet Explorer Cache\superstats.com,Cookie:user1@superstats.com/,C:\Documents and Settings\user1\Cookies\user1@superstats[2].txt
[CLEAN SUCCESS][Cookie_Tacoda] Internet Explorer Cache\tacoda.net,Cookie:user1@tacoda.net/,C:\Documents and Settings\user1\Cookies\user1@tacoda[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:user1@trafficmp.com/,C:\Documents and Settings\user1\Cookies\user1@trafficmp[2].txt
[CLEAN SUCCESS][Cookie_Trafic] Internet Explorer Cache\trafic.ro,Cookie:user1@trafic.ro/,C:\Documents and Settings\user1\Cookies\user1@trafic[1].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:user1@tribalfusion.com/,C:\Documents and Settings\user1\Cookies\user1@tribalfusion[1].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:user1@tribalfusion.com/,C:\Documents and Settings\user1\Cookies\user1@tribalfusion[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:user1@tribalfusion.com/,C:\Documents and Settings\user1\Cookies\user1@tribalfusion[3].txt
[CLEAN SUCCESS][Cookie_Tripod] Internet Explorer Cache\tripod.com,Cookie:user1@tripod.com/,C:\Documents and Settings\user1\Cookies\user1@tripod[2].txt
[CLEAN SUCCESS][Cookie_Unicast] Internet Explorer Cache\unicast.com,Cookie:user1@unicast.com/,C:\Documents and Settings\user1\Cookies\user1@unicast[2].txt
[CLEAN SUCCESS][Cookie_AddFreeStats] Internet Explorer Cache\www.addfreestats.com,Cookie:user1@www.addfreestats.com/cgi-bin,C:\Documents and Settings\user1\Cookies\user1@www.addfreestats[1].txt
[CLEAN SUCCESS][Cookie_BurstBeacon] Internet Explorer Cache\www.burstbeacon.com,Cookie:user1@www.burstbeacon.com/,C:\Documents and Settings\user1\Cookies\user1@www.burstbeacon[2].txt
[CLEAN SUCCESS][Cookie_Web-stat] Internet Explorer Cache\www.web-stat.com,Cookie:user1@www.web-stat.com/ENGLISH/CGI-BIN/,C:\Documents and Settings\user1\Cookies\user1@www.web-stat[1].txt
[CLEAN SUCCESS][Cookie_AddFreeStats] Internet Explorer Cache\www2.addfreestats.com,Cookie:user1@www2.addfreestats.com/cgi-bin,C:\Documents and Settings\user1\Cookies\user1@www2.addfreestats[1].txt
[CLEAN SUCCESS][Cookie_AddFreeStats] Internet Explorer Cache\www5.addfreestats.com,Cookie:user1@www5.addfreestats.com/cgi-bin,C:\Documents and Settings\user1\Cookies\user1@www5.addfreestats[2].txt
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\yieldmanager.com,Cookie:user1@yieldmanager.com/,C:\Documents and Settings\user1\Cookies\user1@yieldmanager[3].txt
[CLEAN SUCCESS][Adware_MemWatcher] C:\Documents and Settings\user1\Desktop\temporary data\old Desktop\Programs\antipest\uninst.exe,C:\DOCUME~1\user1\Desktop\TEMPOR~2\OLDDES~1\Programs\antipest\uninst.exe,2324
[CLEAN SUCCESS][ADW_MGSHAREWARE] C:\Documents and Settings\user1\Desktop\Temporary Programs\freeripmp3.exe,C:\DOCUME~1\user1\Desktop\TEMPOR~1\FREERI~1.EXE,10986
Detected: 113 items.
Cleaned Success: 113 items.
Clean Failed: 0 items.

Spyware Scan Ended: 09/08/2009 09:11:56
Scan Complete. Time=12380.680664.

#11 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 10 September 2009 - 12:34 PM

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2773.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================


Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
=

Reply with copy of the latest MBAM scan log
and the Gmer.txt
and tell me, How is your system now ?
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#12 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 11 September 2009 - 12:07 PM

MBAM SCAN LOG:

Malwarebytes' Anti-Malware 1.40
Database version: 2774
Windows 5.1.2600 Service Pack 3

9/10/2009 7:02:15 PM
mbam-log-2009-09-10 (19-02-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 520788
Time elapsed: 4 hour(s), 26 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.


GMER.TXT:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-11 08:49:12
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT BAF60BAE ZwCreateKey
SSDT BAF60BA4 ZwCreateThread
SSDT BAF60BB3 ZwDeleteKey
SSDT BAF60BBD ZwDeleteValueKey
SSDT BAF60BC2 ZwLoadKey
SSDT BAF60B90 ZwOpenProcess
SSDT BAF60B95 ZwOpenThread
SSDT BAF60BCC ZwReplaceKey
SSDT BAF60BC7 ZwRestoreKey
SSDT BAF60BB8 ZwSetValueKey
SSDT BAF60B9F ZwTerminateProcess
SSDT BAF60B9A ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32@oadnadkhjbgegodlmcjnolaelolijn 0x6A 0x61 0x63 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32@nadnkcabafnddlccliceghmkmodh 0x6A 0x61 0x63 0x61 ...

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000041.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000046.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000065.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000072.sys:1 8704 bytes executable
ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000056.sys:1 8704 bytes executable
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031178.JPG 1127258 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031161.JPG 1312961 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031162.JPG 1916617 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031163.JPG 1929773 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031164.JPG 1864782 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031165.JPG 2025580 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031166.JPG 1751723 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031167.JPG 1437183 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031168.JPG 2320084 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031169.JPG 2369072 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031170.JPG 1966530 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031171.JPG 1943830 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031172.JPG 1866613 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031173.JPG 1884373 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031174.JPG 1998313 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031175.JPG 2100706 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031176.JPG 1795936 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031177.JPG 1410303 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031179.JPG 286404 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031180.JPG 1781610 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031181.JPG 1021017 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041182.JPG 378687 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041183.JPG 403750 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041184.JPG 1164497 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041185.JPG 2314880 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041186.JPG 2435349 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041187.JPG 2534233 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041188.JPG 2576637 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041189.JPG 2490951 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041190.JPG 2596927 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041191.JPG 2175079 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041192.JPG 2349697 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041193.JPG 2448487 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041194.JPG 2387656 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041195.JPG 2481140 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041196.JPG 2541145 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041197.JPG 2458840 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041198.JPG 2595027 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041199.JPG 2755933 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041200.JPG 2696896 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041201.JPG 2550105 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041202.JPG 1920479 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041203.JPG 1680012 bytes
File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041204.JPG 1612098 bytes

---- EOF - GMER 1.0.15 ----

FYI: The files with the long path name at the end of the log are JPG's I made myself with a Sony camera. No idea why the program would notice those.

The computer runs fine. The browsers, both IE8 and FF seem slow. This may be because prior to consulting you, I tightened up Avira's security setting. If everything seems clean now, I can experiment with that or maybe there is a better, less speed-reducing antivirus I can use (it doesn't need to be free)? Please let me know if any other tests seem indicated. Again, many thanks for the very valuable and patient help. If you have an extra moment, I'd be interested if you know what malware I had and typically where it might have come from.

#13 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 12 September 2009 - 02:43 AM

Well, all may not yet be copacetic.

I just clicked on a link from a political discussion forum and the link is supposed to go here: http://www.nytimes.c...;pagewanted=all . The first time I tried that link, I received a popup or popunder from: http://www.toptvbyte...=10088&SID=1796 and the tab I opened with the link in Firefox went to here: (CAUTION--DO NOT CLICK THIS LINK UNLESS PROTECTED! I changed it so it won't work unless a dot is substituted for my text between the asterisks. ) http://malwareinternetscanner03 **dot**com/1/?sess=%3D2259jDwMi02MyZpcD02Ni43NS4yNDkuNyZ0aW1lPTEyNTY3MMkMNQkN -- Avira caught it and stopped the browser from accessing it with a warning "The requested URL has been identified as a potentially dangerous website. In order not to compromise your security, the access to this page has been blocked. Category/categories:Malware. Generated by AntiVir WebGuard 9.0.5.0 " I closed the involved tab and tried the same link again and it connected to the correct URL-- the NYT article. The prior page I accessed before the discussion forum was snopes.com. That gave me a Netflix popup (as usual).

Firefox is fully updated, version 3.5.3 . I did quite a bit of browsing today and this has been the only anomaly I noticed. Any idea what caused this or what to do about it or how serious it may be? This computer is used for some banking though I switched that function to a well running and well protected laptop while this trouble shooting is going on. The computer runs fine today other than the above and maybe FF is a bit slow. I suspect I can run any scanner program that you'd like.

Thanks!

M. Y.

#14 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 12 September 2009 - 12:51 PM

Please download GooredFix and save it to your Desktop.
Now double-click Goored.exe on your Desktop to run it.
Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
=

Then, next, get and run FixIEDef:

Use this URL to Download the latest version, and SAVE it to your Desktop !
http://downloads.mal...om/FixIEDef.exe

Double click FixIEdef.exe on your Desktop to start it.
Click OK when you get the 1st FixIEDef window.

Next, at 2nd message-window, press SCAN button.

Click OK when you see a FixIEDef alert window.
Let it scan the file system and the resgistry. Do not touch keyboard or mouse while utility is running.

Click Exit once FixIEDef displays the !!! All Finished message !!! window.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Click Exit once FixIEDef displays the All Finished message.

Reply with copy of Goored.txt and the FixIEDef log file, located on the Desktop.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#15 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 12 September 2009 - 01:21 PM

GooredFix by jpshortstuff (12.07.09)
Log created at 11:16 on 12/09/2009 (user1)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
powermarks@kaylon.com [16:23 03/01/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [16:21 03/01/2007]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [16:39 01/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [19:13 26/07/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [17:25 28/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [18:38 27/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [16:00 06/07/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [18:01 02/11/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [18:09 04/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [06:23 11/04/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [21:43 08/09/2009]
{FE76A1D3-DF55-4527-8BB7-07A3C6ABE9D6} [16:48 20/07/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:19 10/02/2009]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [21:54 04/09/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:01 02/11/2008]

-=E.O.F=-


--------------------------------------------------------


********************************************************************************
* *
* FixIEDef Log *
* Version 1.7.22.7514 *
* *
********************************************************************************

Created at 11:18:15 on Saturday, September 12, 2009

Time Zone : (GMT-08:00) Pacific Time (US & Canada)

Logged On User : user1

Operating System : Microsoft Windows XP Home Edition Service Pack 3
OS Architecture : X86
System Langauge : English (United States)
Keyboard Layout : English (United States)
Processor : X64 Intel® Core™2 CPU 6600 @ 2.40GHz

System Drive : C:\
Windows Directory : C:\WINDOWS
System Directory : C:\WINDOWS\system32

System Drive Type : Fixed
System Drive Status : READY
System Drive Label :
System Drive Size : 305.23 GB
System Drive Free : 16.32 GB

Total Physical Memory: 2046 MB
Free Physical Memory : 1362 MB
Total Page File : 2046 MB
Free Page File : 2100 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory : 1961 MB

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\tmp.txt

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :unsure:

ShadowPuterDude

Safe Surfing!!!


-----------------------------------
Thanks! M. Y. (I'll be away for a few hours and then back for the day)

#16 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 12 September 2009 - 02:29 PM

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2785 or later. The latest program version is 1.41

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.


=
next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/...c4.php?page=faq

  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
=
RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the MBAM scan log
and the Eset scan log
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#17 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 13 September 2009 - 09:25 PM

Woops ... ran the full scan by mistake-- the quick scan had reported clean. here's the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2786
Windows 5.1.2600 Service Pack 3

9/12/2009 10:38:13 PM
mbam-log-2009-09-12 (22-38-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 523462
Time elapsed: 4 hour(s), 45 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here's Eset's log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=d2dd2de2a98f6947b98f1fe668ecf5f0
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-06 06:51:25
# local_time=2009-09-05 11:51:25 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 1156968593750
# compatibility_mode=2817 63 100 100 316444658281250
# scanned=16092
# found=0
# cleaned=0
# scan_time=434
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=d2dd2de2a98f6947b98f1fe668ecf5f0
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-13 11:36:44
# local_time=2009-09-13 04:36:44 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1798 37 100 100 565640468750
# compatibility_mode=2817 63 100 100 323095846718750
# scanned=635544
# found=2
# cleaned=0
# scan_time=20865
C:\Documents and Settings\user1\Local Settings\Application Data\Identities\{FC7AC938-F43A-4C42-968E-F18737F16BD8}\Microsoft\Outlook Express\old_sent (last 5_2003).dbx VBS/LoveLetter.Colombia worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user1\Local Settings\Application Data\Identities\{FC7AC938-F43A-4C42-968E-F18737F16BD8}\Microsoft\Outlook Express\old_sent_to6_2002.dbx Win32/Adware.Webhancer.A application (unable to clean) 00000000000000000000000000000000 I



If I am not mistaken the two files listed above are folders from Outlook Express email. They are also very old -- one from 2002 and the other from 2003! I don't need them and if it helps, I can delete them by hand. But it's hard to imagine how these could be significant after all this time.

Regards and thanks.

M. Y.

#18 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 14 September 2009 - 02:59 PM

You'll need to delete the 2 items out of Outlook Express on your own. The last 2 scans are very good.
Your system is good to go after the following

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should un-install it.
Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
De-install ESET Online scan
De-install Kaspersky Online scan
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, {it's on your desktop as combo-fix.exe }
put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after exe and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste
    combo-fix.exe /u
    and then click OK.

  • Please double-click OTL.exe Posted Image to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Delete SYSCLEAN downloads and the C:\DCE folder (if still there)
Delete GMER if still there
Delete RootRepeal if still there

We are finished here. Best regards.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#19 maryy

maryy

    New Member

  • Members
  • Pip
  • 10 posts

Posted 14 September 2009 - 07:56 PM

That's great. You're very patient. Thank you very much.

M. Y.

#20 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 14 September 2009 - 08:35 PM

You're very welcome. Stay safe.

This thread is closed. The procedures used here are only for this system. Using them on another system may very well cause harm.
If you are a viewer and having issues, create your own New topic.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users