uvris3

Members
  • Content count

    20
  • Joined

  • Last visited

About uvris3

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Done. Thank you very much for your help!
  2. Hello, I was able to solve the problem by running Malwarebytes in safe mode. I thought I saved the log file to my desktop but cannot find it. It detected nine objects, asked me to restart the computer, and it seems to be running better. I appreciate the help you provided. If I find the log file I'll post it.
  3. Hello, is anyone aware of a virus that causes system shutdown while scanning with Malwarebytes?
  4. Hello, if it would help, I can re-do the quick scan, stopping it after the two detections but before I get a bluescreen and then send you the report on the two detected objects.
  5. To clarify my previous post, the computer put itself through a complete system check (disks, etc.) before starting back up after the shut down. I did not mean that I had to re-install the OS.
  6. Hello, I followed your instructions and started a Quick Scan with MBAM. It identified two objects (I think in "Documents and Settings" but am not sure), then my computer shut down due to an unexpected error (blue screen) approximately 30 minutes into the scan. This is the same thing that happened prior to running Rkill, unhide, TDSSKiller, and ESET. The computer required a complete OS restoration this time. Thank you for your continuing help.
  7. Hello. I have pasted the contents of the RKill, unhide, and ESET log files below. When I pasted the TDSSKiller log, I got an error message stating that the post was too long, so I have attached it as a file. Thank you for your continuing help! ########################################################################### RKill log: Rkill 2.6.5 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 01/12/2014 01:42:58 PM in x86 mode. Windows Version: Microsoft Windows XP Service Pack 3 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\WINDOWS\System32\WLTRYSVC.EXE (PID: 1864) [WD-HEUR] * C:\WINDOWS\System32\bcmwltry.exe (PID: 1896) [WD-HEUR] 2 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * Windows Defender Disabled [HKLM\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 ########################################################################### unhide log: Unhide by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Unhide.exe can be found at this link: http://www.bleepingcomputer.com/forums/topic405109.html Program started at: 01/12/2014 01:44:36 PM Windows Version: Windows XP Please be patient while your files are made visible again. Processing the C:\ drive Finished processing the C:\ drive. 303052 files processed. The C:\DOCUME~1\HAL\LOCALS~1\Temp\smtmp\ folder does not exist!! Unhide cannot restore your missing shortcuts!! Please see this topic in order to learn how to restore default Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html Searching for Windows Registry changes made by FakeHDD rogues. - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop * HidNoChangingWallPaperden policy was found and deleted! - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced * Start_ShowMyMusic was set to 0! It was set back to 1! * Start_ShowMyPics was set to 0! It was set back to 1! * Start_ShowPrinters was set to 0! It was set back to 1! * Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1! * Start_ShowRecentDocs was set to 0! It was set back to 2! * Start_ShowNetConn was set to 0! It was set back to 1! * Start_ShowNetPlaces was set to 0! It was set back to 1! Program finished at: 01/12/2014 02:04:57 PM Execution time: 0 hours(s), 20 minute(s), and 20 seconds(s) ########################################################################### ESETScan log: C:\Program Files\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting (after the next restart) - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075355.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075356.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075357.exe a variant of Win32/InstallIQ.A application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0076305.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting - quarantined ########################################################################### TDSSKiller.3.0.0.19_12.01.2014_15.18.37_log.txt
  8. Hello, I ran ComboFix.exe and have attached the log file. After completing ComboFix, I did a quick scan with Malwarebytes, and it is still detecting two objects. I did not get a bluescreen this time, but Malwarebytes did freeze again, and I had to manually shut down the computer and re-start. I greatly appreciate your continuing help in this matter.log.txt
  9. Hello. I include the contents of the ESET scan below. I chose to have ESET remove the quarantined objects after the scan. I know you did not instruct me to do this, but I did a quick scan with Malwarebytes following the ESET scan and had the same problem: Malwarebytes detected two objects, it stopped, and then I got the blue screen. So, I guess something is still on the computer. Thank you in advance for any follow-on help. :\RECYCLER\S-1-5-21-3106242995-1852642597-4043359429-1006\Dc46.exe a variant of Win32/InstallCore.D application C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\extensions\firefox@jumpflip.net.xpi Win32/BrowseFox.B application deleted - quarantined C:\Documents and Settings\HAL\Local Settings\temp\+uSWTWrT.exe.part Win32/DownloadAdmin.G application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\13CLMTLq.exe.part Win32/AdWare.1ClickDownload.AQ application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\G6boqvUW.exe.part Win32/DownloadAdmin.G application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\ia7bgByC.exe.part Win32/DownWare.I application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\P3VwCVM0.exe.part Win32/AdWare.1ClickDownload.AQ application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\T8qkdHWD.exe.part Win32/Adware.1ClickDownload.AM application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\tbRad0.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\xz_+frUK.exe.part multiple threats cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\ZHpWgoiy.exe.part Win32/Adware.1ClickDownload.AM application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\is1590112554\5094600_stp\Mysearchdial.exe a variant of Win32/Toolbar.Funmoods.D application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\Temporary Internet Files\Content.IE5\78KPN2P6\Setup[1].exe multiple threats cleaned by deleting - quarantined C:\Documents and Settings\LocalService\Local Settings\Application Data\Radio_1.1\ldrtbRad2.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\Documents and Settings\LocalService\Local Settings\Application Data\Radio_1.1\tbRad2.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\Program Files\Avira\AntiVir Desktop\offercast_avirav7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting (after the next restart) - quarantined C:\RECYCLER\S-1-5-21-3106242995-1852642597-4043359429-1006\Dc47.exe a variant of Win32/InstallIQ.A application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074134.exe multiple threats cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074140.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074141.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074142.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074143.dll a variant of Win32/PriceGong.A application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074144.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074146.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074147.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074153.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074154.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074155.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074158.dll Win32/Toolbar.Conduit.O application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074161.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074162.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074163.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1130\A0074207.rbf a variant of Win32/Bundled.Toolbar.Ask.E application cleaned by deleting - quarantined C:\WINDOWS\temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined C:\WINDOWS\temp\avnwldrtemp\setup\Offercast_AVIRAV7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting - quarantined
  10. Hello, I followed the instructions and have pasted the contents of JRT.txt and AdwCleaner.txt below. I encountered my original problem in Step 4: Malwarebytes detected two objects and then froze, and I got a blue screen when I tried to unfreeze or exit Malwarebytes. Previously, the same thing happened, but Malwarebytes had detected eight objects. So, I think the computer is still infected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.0 (01.07.2014:1) OS: Microsoft Windows XP x86 Ran by HAL on Thu 01/09/2014 at 13:37:45.14 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3004627E-F8E9-4E8B-909D-316753CBA923} Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-3106242995-1852642597-4043359429-1006\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escort.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortapp.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escorteng.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortlbr.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\esrv.exe Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\dsiteproducts Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installcore Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\mysearchdial Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\installcore Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\esrv.mysearchdialesrvc Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\esrv.mysearchdialesrvc.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialappcore Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialappcore.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialdskbnd Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialdskbnd.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialhlpr Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialhlpr.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6db9fdfe-b718-4962-be0c-0a5fce7f7f7b} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{6db9fdfe-b718-4962-be0c-0a5fce7f7f7b} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\HAL\Application Data\mysearchdial" Successfully deleted: [Folder] "C:\Program Files\jump flip" Successfully deleted: [Folder] "C:\Program Files\mysearchdial" Successfully deleted: [Folder] "C:\Program Files\openit" Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\open it!" ~~~ FireFox Successfully deleted: [File] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\user.js Successfully deleted: [File] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\searchplugins\mysearchdial.xml Successfully deleted: [Folder] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8} Successfully deleted the following from C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\prefs.js user_pref("browser.search.defaultenginename", "Mysearchdial"); user_pref("browser.search.selectedEngine", "Mysearchdial"); user_pref("extensions.mysearchdial.aflt", "dsites0101"); user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}"); user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1QzutDtDtC0EyE0CyByCtC0A0BzytC0DyBtDtN0D0Tzu0SyByEtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutDzytDtC0B"); user_pref("extensions.mysearchdial.cr", "1877023167"); user_pref("extensions.mysearchdial.dfltLng", ""); user_pref("extensions.mysearchdial.dfltSrch", true); user_pref("extensions.mysearchdial.dnsErr", true); user_pref("extensions.mysearchdial.excTlbr", false); user_pref("extensions.mysearchdial.hmpg", true); user_pref("extensions.mysearchdial.id", "001E4C761AB91D70"); user_pref("extensions.mysearchdial.instlDay", "16079"); user_pref("extensions.mysearchdial.instlRef", ""); user_pref("extensions.mysearchdial.prdct", "mysearchdial"); user_pref("extensions.mysearchdial.prtnrId", "mysearchdial"); user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial"); user_pref("extensions.mysearchdial.tlbrId", "base"); user_pref("extensions.mysearchdial.vrsn", "1.8.21.0"); user_pref("extensions.mysearchdial.vrsni", "1.8.21.0"); user_pref("extensions.mysearchdial_i.hmpg", true); user_pref("extensions.mysearchdial_i.newTab", false); user_pref("extensions.mysearchdial_i.smplGrp", "none"); user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.21.013:31:50"); ~~~ Chrome Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Thu 01/09/2014 at 13:44:42.82 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # AdwCleaner v3.016 - Report created 09/01/2014 at 13:55:44 # Updated 23/12/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : HAL - LAPTOP2007 # Running from : C:\Documents and Settings\HAL\My Documents\Downloads\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit Folder Deleted : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} Folder Deleted : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\Extensions\ffxtlbr@mysearchdial.com File Deleted : C:\Documents and Settings\HAL\Local Settings\Application Data\mysearchdial-speeddial.crx File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\searchplugins\Mysearchdial.xml File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\user.js File Deleted : C:\Documents and Settings\HAL\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3004627E-F8E9-4E8B-909D-316753CBA923} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4ED063C9-4A0B-4B44-A9DC-23AFF424A0D3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C358B3D0-B911-41E3-A276-E7D43A6BA56D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{219046AE-358F-4CF1-B1FD-2B4DE83642A8} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Mozilla Firefox v26.0 (en-US) [ File : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\prefs.js ] [ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\prefs.js ] Line Deleted : user_pref("browser.search.selectedEngine", "Mysearchdial"); Line Deleted : user_pref("browser.search.defaultenginename", "Mysearchdial"); -\\ Google Chrome v32.0.1700.72 [ File : C:\Documents and Settings\HAL\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ] Deleted : homepage Deleted : urls_to_restore_on_startup ************************* AdwCleaner[R0].txt - [4487 octets] - [09/01/2014 13:52:02] AdwCleaner[s0].txt - [4474 octets] - [09/01/2014 13:55:44] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4534 octets] ##########
  11. Hello, my original problem was that Malwarebytes detected eight infected objects and then froze, followed by bluescreen. I have followed the instructions, run dds.scr, and attached attach.txt and dds.txt. Thank you. attach.txt dds.txt
  12. Hello, I suspected infection of my computer (OS: WinXP) and so updated Malwarebytes and performed a quick scan. It finds 8 infected objects quickly, but then freezes. The first time it happened, I got a blue screen and had to remove the battery to reboot. The second time, it just froze, and I had to depress the power button to force a shutdown. Any help would be greatly appreciated. Thanks, HC.
  13. Hello, I received an email from a family member with an attachment that I opened (shouldn't have, I know). The family member's email account was obviously infected and was mailing the malware. A short time later, a pop-up appeared on my computer announcing that my computer was infected. I ran Malwarebytes, but it didn't find anything, so I performed your recommended procedure. Below are the contents of DDS.txt, and I have attached a zip file containing Attach.txt and ark.txt. Thank you very much for your help! . DDS (Ver_11-03-05.01) - NTFSx86 Run by HAL at 20:24:52.03 on Wed 05/18/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1243 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\vVX6000.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TouchFreeze\TouchFreeze.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\BELKIN\Video Dock Power Applet\PowerApp.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Documents and Settings\HAL\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [TouchFreeze] c:\program files\touchfreeze\TouchFreeze.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [VX6000] c:\windows\vVX6000.exe mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\hal\startm~1\programs\startup\videod~1.lnk - c:\program files\belkin\video dock power applet\PowerApp.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\hal\applic~1\mozilla\firefox\profiles\6m7ci4cn.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 51939 FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-17 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-17 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-17 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-17 61960] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664] S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys --> c:\windows\system32\drivers\ADM851X.SYS [?] S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys --> c:\windows\system32\drivers\cmudaxu.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2010-8-5 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2010-8-5 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2010-8-5 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2010-8-5 59520] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152] . =============== Created Last 30 ================ . 2011-05-17 13:53:43 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{0794b6aa-a5f6-42b6-82ae-17426b7522eb}\mpengine.dll 2011-05-02 00:40:05 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS 2011-05-02 00:32:17 -------- d-----w- C:\Netgear 2011-05-01 16:44:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Skype Extras . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec . ============= FINISH: 20:25:15.12 =============== Attach.zip
  14. OK, understood. I guess that's it. Thanks again for all your help!
  15. I followed the last steps. Your recommendations advise using a third-party firewall rather than Windows'. I've been using Windows'. I downloaded Outpost but haven't yet installed it. If I do, do you know whether I should then disable the Windows firewall? Thank you very much for your help in all of this!