Whome Posted January 10, 2009 ID:46398 Share Posted January 10, 2009 Computer wont allow programs to be installed unless in safe mode - cant install Avira due to no network in safe mode. Installed malwarebytes, but will not load. Installed Spybot-S&D but only partly loads. Can run HijackThis and here is log.Logfile of HijackThis v1.99.1Scan saved at 11:57:15 PM, on 09/01/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\ehome\RMSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\dllhost.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\ALCWZRD.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ATI Multimedia\main\ATISched.EXEC:\Program Files\ATI Multimedia\main\ATIDtct.EXEC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\Killer Stuff\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.mdg.caO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exeO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splashO4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSWO4 - HKLM\..\Run: [380a59d7] rundll32.exe "C:\WINDOWS\system32\joterqaj.dll",bO4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXEO4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXEO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLLO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.caO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabO16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cabO16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.cogeco.ca/en/OLS3.3/fscax.cabO20 - AppInit_DLLs: yvmlrx.dll frjicl.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: F-Secure Automatic Update Agent (FSAUA) - Unknown owner - C:\Program Files\COGECO Security Services\FSAUA\program\fsaua.exe (file missing)O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2009 ID:46548 Share Posted January 10, 2009 Hello WhomeWelcome to MAlwareBytes==================Please download DDS and save it to your desktop.Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txtAttach.txt. ============Download GMER from Here :Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for Link to post Share on other sites More sharing options...
Whome Posted January 11, 2009 Author ID:46637 Share Posted January 11, 2009 Hello KahdahIve done as you have instructed. DDS worked and the logs are below. However GMER would not run. DDS (Ver_09-01-07.01) - NTFSx86 Run by Laycocks at 23:34:33.93 on 10/01/2009Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1051 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\ehome\RMSvc.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\ALCWZRD.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ATI Multimedia\main\ATISched.EXEC:\Program Files\ATI Multimedia\main\ATIDtct.EXEC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\eHome\ehmsas.exeC:\Documents and Settings\Laycocks\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = about:blankmDefault_Page_URL = hxxp:\\www.mdg.cauInternet Connection Wizard,ShellNext = iexploreBHO: {42a409b5-57bb-49cf-a348-b32a2162f834} - c:\windows\system32\jkkJCsrR.dllBHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jKaYsPgG.dllBHO: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dllTB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dllTB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No FileTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileTB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dllTB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No FileuRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXEuRun: [ATI Launchpad] uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXEuRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHideuRun: [<NO NAME>] uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exemRun: [uSRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdAmRun: [soundMan] SOUNDMAN.EXEmRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exemRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exemRun: [ehTray] c:\windows\ehome\ehtray.exemRun: [AlcWzrd] ALCWZRD.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [F-Secure Manager] "c:\program files\cogeco security services\common\FSM32.EXE" /splashmRun: [F-Secure TNB] "c:\program files\cogeco security services\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSWmRun: [380a59d7] rundll32.exe "c:\windows\system32\joterqaj.dll",buPolicies-explorer: NoFolderOptions = 1 (0x1)uPolicies-explorer: NoAutoUpdate = 1 (0x1)IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dllIE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLLIE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dllIE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllHandler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLLNotify: igfxcui - igfxsrvc.dllNotify: jKaYsPgG - jKaYsPgG.dllAppInit_DLLs: yvmlrx.dll frjicl.dllSTS: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dllSEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jKaYsPgG.dllLSA: Authentication Packages = msv1_0 c:\windows\system32\jkkJCsrRLSA: Notification Packages = :\WINDOW================= FIREFOX ===================FF - ProfilePath - c:\docume~1\laycocks\applic~1\mozilla\firefox\profiles\igth902o.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialFF - plugin: c:\documents and settings\laycocks\application data\mozilla\plugins\npPxPlay.dllFF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dllFF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dllFF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dllFF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dllFF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll============= SERVICES / DRIVERS ===============R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys --> c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys [?]S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-1-12 87824]S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-1-12 85696]S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\cogeco security services\anti-virus\win2k\fsfilter.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSfilter.sys [?]S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\cogeco security services\anti-virus\win2k\fsrec.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSrec.sys [?]=============== Created Last 30 ================2009-01-09 22:55 133,120 a------- c:\windows\system32\frjicl.dll2009-01-09 22:55 133,120 a------- c:\windows\system32\hyiyuqar.dll2009-01-09 22:52 1,367,332 ---sh--- c:\windows\system32\eqobtoeb.ini2009-01-09 22:52 90,624 a------- c:\windows\system32\beotboqe.dll2009-01-09 21:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy2009-01-09 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2009-01-09 21:34 15,504 a------- c:\windows\system32\drivers\mbam.sys2009-01-09 21:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-01-09 21:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2009-01-09 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes2009-01-07 18:55 129,536 a------- c:\windows\system32\yvmlrx.dll2009-01-07 18:55 129,536 a------- c:\windows\system32\anwlpynk.dll2009-01-07 18:52 1,353,973 ---sh--- c:\windows\system32\jaqretoj.ini2009-01-07 17:19 <DIR> --d----- C:\Killer Stuff2009-01-07 17:18 <DIR> --d----- C:\!KillBox2009-01-06 22:41 <DIR> --d----- c:\docume~1\laycocks\applic~1\F-Secure2009-01-06 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure2009-01-06 19:46 1,353,973 ---sh--- c:\windows\system32\slngntlt.ini2009-01-06 19:46 86,528 a------- c:\windows\system32\tltngnls.dll2009-01-06 18:53 137,728 a------- c:\windows\system32\ritjkftq.dll2009-01-06 18:53 137,728 a------- c:\windows\system32\dwwjai.dll2009-01-06 18:50 1,353,973 ---sh--- c:\windows\system32\oxhunnse.ini2008-12-29 02:31 45,056 a------- c:\windows\system32\mlJAsQih.dll2008-12-29 00:39 139,264 a------- c:\windows\system32\uownem.dll2008-12-29 00:39 139,264 a------- c:\windows\system32\jdiowumj.dll2008-12-29 00:39 1,762,028 ---sh--- c:\windows\system32\lfnooslc.ini2008-12-26 02:49 135,680 a------- c:\windows\system32\ahvoih.dll2008-12-26 02:49 135,680 a------- c:\windows\system32\xlqbbiid.dll2008-12-26 02:49 1,762,028 ---sh--- c:\windows\system32\jqhqfuok.ini2008-12-21 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg2008-12-20 19:46 <DIR> --d----- C:\fsaua.data2008-12-20 16:50 <DIR> --d----- c:\temp\REX812008-12-20 16:50 <DIR> --d----- c:\windows\system32\foi2008-12-20 16:50 <DIR> --d----- c:\temp\1cb2008-12-20 16:49 15,000 a------- c:\windows\system32\tyshb36rfjdf.dll2008-12-20 16:49 57,856 a------- c:\windows\system32\bYOgHWNd.dll2008-12-20 16:43 57,856 a------- c:\windows\system32\aWOHwVOe.dll2008-12-20 16:43 135,168 a------- c:\windows\system32\crkiaq.dll2008-12-20 16:42 135,168 a------- c:\windows\system32\nmjgydwi.dll2008-12-20 16:41 1,668,120 ---sh--- c:\windows\system32\fyecmtfi.ini2008-12-20 16:39 423,304 a--sh--- c:\windows\system32\RrsCJkkj.ini2008-12-20 16:39 423,197 a--sh--- c:\windows\system32\RrsCJkkj.ini22008-12-20 16:39 286,208 a------- c:\windows\system32\jkkJCsrR.dll2008-12-20 16:34 57,856 a------- c:\windows\system32\jKaYsPgG.dll2008-12-20 16:34 70,656 a------- c:\windows\system32\prunnet.exe==================== Find3M ====================2008-12-29 01:08 10,740 a------- c:\windows\system32\drivers\SYMEVENT.CAT2008-12-29 01:08 805 a------- c:\windows\system32\drivers\SYMEVENT.INF2008-11-26 04:04 14,154 a------- c:\docume~1\laycocks\applic~1\wklnhst.dat2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll2008-10-16 05:20 667,648 a------- c:\windows\system32\wininet.dll2008-05-21 17:31 133,160 ac------ c:\docume~1\laycocks\applic~1\GDIPFONTCACHEV1.DAT2006-09-19 00:24 81,920 ac------ c:\docume~1\laycocks\applic~1\ezpinst.exe2006-09-19 00:24 47,360 ac------ c:\docume~1\laycocks\applic~1\pcouffin.sys2006-09-13 00:18 774,144 ac------ c:\program files\RngInterstitial.dll============= FINISH: 23:37:37.67 ===============Attach.txtAttach.txt Link to post Share on other sites More sharing options...
kahdah Posted January 11, 2009 ID:46641 Share Posted January 11, 2009 Please download the OTMoveIt3 by OldTimer. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::processesexplorer.exe :filesc:\windows\system32\frjicl.dllc:\windows\system32\hyiyuqar.dllc:\windows\system32\eqobtoeb.inic:\windows\system32\beotboqe.dllc:\windows\system32\yvmlrx.dllc:\windows\system32\anwlpynk.dllc:\windows\system32\jaqretoj.inic:\windows\system32\slngntlt.inic:\windows\system32\tltngnls.dllc:\windows\system32\ritjkftq.dllc:\windows\system32\dwwjai.dllc:\windows\system32\oxhunnse.inic:\windows\system32\mlJAsQih.dllc:\windows\system32\uownem.dllc:\windows\system32\jdiowumj.dllc:\windows\system32\lfnooslc.inic:\windows\system32\ahvoih.dllc:\windows\system32\xlqbbiid.dllc:\windows\system32\jqhqfuok.inic:\temp\REX81c:\windows\system32\foic:\temp\1cbc:\windows\system32\tyshb36rfjdf.dllc:\windows\system32\bYOgHWNd.dllc:\windows\system32\aWOHwVOe.dllc:\windows\system32\crkiaq.dllc:\windows\system32\nmjgydwi.dllc:\windows\system32\fyecmtfi.inic:\windows\system32\RrsCJkkj.inic:\windows\system32\RrsCJkkj.ini2c:\windows\system32\jkkJCsrR.dllc:\windows\system32\jKaYsPgG.dllc:\windows\system32\prunnet.exe :commands[emptytemp][start explorer] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.Click the red Moveit! button.Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.Close OTMoveIt3Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.===================================Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.Link 1Link 2Link 3 --------------------------------------------------------------------Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a dds log so we can continue cleaning the system.========================Please post these logs in your next reply:Ot Move it logCombofix log Link to post Share on other sites More sharing options...
Whome Posted January 11, 2009 Author ID:46653 Share Posted January 11, 2009 Ok I ran OTMoveIt and it came up with an "Access violation at address 77124BA7. Read of address 77124BA7."I copied the log it did create to clip board but when I closed the program it crashed my computer. I tried to find a log at the folder specified but there were none. What I did find were 2 .dll files. frjicl and hyiyuqar. I tried running it a second time but again it came up with the same error. The log it did create were all "did not find" type errors and only had about 6 or so. If needed I can run it again to get exact log. I will save the log before closing the app.Here is the log from Combo-fix. There was no dds log that I could find.ComboFix 09-01-10.02 - Laycocks 2009-01-11 0:46:12.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1126 [GMT -5:00]Running from: c:\documents and settings\Laycocks\Desktop\Combo-Fix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\documents and settings\Laycocks\Local Settings\Temporary Internet Files\fbk.stsc:\temp\1cbc:\temp\1cb\syscheck.logc:\windows\system32\ahvoih.dllc:\windows\system32\anwlpynk.dllc:\windows\system32\aWOHwVOe.dllc:\windows\system32\beotboqe.dllc:\windows\system32\bYOgHWNd.dllc:\windows\system32\crkiaq.dllc:\windows\system32\drivers\TDSSmqlt.sysc:\windows\system32\dwwjai.dllc:\windows\system32\jdiowumj.dllc:\windows\system32\jKaYsPgG.dllc:\windows\system32\jkkJCsrR.dllc:\windows\system32\mfcans32.DLLc:\windows\system32\msexcl35.dllc:\windows\system32\msltus35.dllc:\windows\system32\mspdox35.dllc:\windows\system32\msrdo20.dllc:\windows\system32\mstext35.dllc:\windows\system32\msxbse35.dllc:\windows\system32\nmjgydwi.dllc:\windows\system32\prunnet.exec:\windows\system32\rdocurs.dllc:\windows\system32\ritjkftq.dllc:\windows\system32\RrsCJkkj.inic:\windows\system32\RrsCJkkj.ini2c:\windows\system32\TDSShrxm.dllc:\windows\system32\TDSSkhyp.logc:\windows\system32\TDSSkkai.logc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSmtvd.datc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSsahc.dllc:\windows\system32\TDSSvkql.dllc:\windows\system32\TDSSxfum.dllc:\windows\system32\TDSSxmxh.logc:\windows\system32\tltngnls.dllc:\windows\system32\tyshb36rfjdf.dllc:\windows\system32\uownem.dllc:\windows\system32\xlqbbiid.dllc:\windows\system32\yvmlrx.dll----- BITS: Possible infected sites -----hxxp://childhe.com.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_TDSSSERV.SYS-------\Legacy_TDSSSERV.SYS((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 ))))))))))))))))))))))))))))))).2009-01-11 00:18 . 2009-01-11 00:18 <DIR> d-------- C:\_OTMoveIt2009-01-09 21:57 . 2009-01-09 21:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy2009-01-09 21:57 . 2009-01-09 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-09 21:34 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-01-09 21:34 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-07 18:52 . 2009-01-07 18:53 1,353,973 --ahs---- c:\windows\system32\jaqretoj.ini2009-01-07 17:19 . 2009-01-09 23:57 <DIR> d-------- C:\Killer Stuff2009-01-07 17:18 . 2009-01-07 17:18 <DIR> d-------- C:\!KillBox2009-01-06 22:41 . 2009-01-06 22:41 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\F-Secure2009-01-06 22:30 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\F-Secure2009-01-06 19:46 . 2009-01-06 19:47 1,353,973 --ahs---- c:\windows\system32\slngntlt.ini2009-01-06 18:50 . 2009-01-06 18:50 1,353,973 --ahs---- c:\windows\system32\oxhunnse.ini2008-12-29 02:31 . 2008-12-29 02:31 45,056 --a------ c:\windows\system32\mlJAsQih.dll2008-12-29 00:39 . 2008-12-29 00:39 1,762,028 --ahs---- c:\windows\system32\lfnooslc.ini2008-12-26 02:49 . 2008-12-29 00:38 1,762,028 --ahs---- c:\windows\system32\jqhqfuok.ini2008-12-21 10:46 . 2008-12-26 02:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg2008-12-20 19:46 . 2008-12-20 19:46 <DIR> d-------- C:\fsaua.data2008-12-20 16:50 . 2008-12-20 16:50 <DIR> d-------- c:\windows\system32\foi2008-12-20 16:50 . 2008-12-20 16:50 <DIR> d-------- c:\temp\REX812008-12-20 16:41 . 2008-12-20 16:41 1,668,120 --ahs---- c:\windows\system32\fyecmtfi.ini.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-01-11 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater2009-01-07 01:48 --------- d-----w c:\program files\Common Files\Symantec Shared2009-01-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec2008-12-29 06:08 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF2008-12-29 06:08 10,740 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT2008-12-21 00:42 --------- d-----w c:\program files\SopCast2008-11-28 05:16 --------- d-----w c:\program files\QuickTime2008-11-27 17:39 --------- d-----w c:\program files\iTunes2008-11-27 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}2008-11-27 17:35 --------- d-----w c:\program files\iPod2008-11-27 17:35 --------- d-----w c:\program files\Common Files\Apple2008-11-27 17:21 --------- d-----w c:\program files\Safari2008-11-26 09:04 14,154 ----a-w c:\documents and settings\Laycocks\Application Data\wklnhst.dat2008-11-24 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC2008-11-15 03:00 --------- d-----w c:\program files\Morpheus2008-05-21 22:31 133,160 -c--a-w c:\documents and settings\Laycocks\Application Data\GDIPFONTCACHEV1.DAT2006-09-19 05:24 81,920 -c--a-w c:\documents and settings\Laycocks\Application Data\ezpinst.exe2006-09-19 05:24 47,360 -c--a-w c:\documents and settings\Laycocks\Application Data\pcouffin.sys2006-09-13 05:18 774,144 -c--a-w c:\program files\RngInterstitial.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-05-04 36864]"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-05-04 53248]"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-10 77891]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]"Alcmtr"="ALCMTR.EXE" [2004-07-02 c:\windows\ALCMTR.EXE][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoAutoUpdate"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=yvmlrx.dll frjicl.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.UYVY"= c:\windows\system32\msyuv.dll "VIDC.YUY2"= ATIVYUY.DLL "VIDC.YU12"= ATIYUV12.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\jkkJCsrR[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\Morpheus\\Morpheus.exe"="c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance Trial\\MW4.exe"="c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3776:UDP"= 3776:UDP:Media Center Extender Service"3390:TCP"= 3390:TCP:Remote Media Center ExperienceR3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys --> c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [?]S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-01-12 87824]S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-01-12 85696]S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys [?]S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys [?][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]QWAVE REG_MULTI_SZ QWAVE[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{019f7bfa-dd09-11dd-a766-00132057a270}]\Shell\AutoRun\command - E:\setupSNK.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2acb4399-dc4c-11dd-a75e-00132057a270}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654267062666774.Contents of the 'Scheduled Tasks' folder2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2009-01-10 c:\windows\Tasks\uhbjlxmv.job- c:\windows\system32\rundll32.exe [2004-08-10 07:00].- - - - ORPHANS REMOVED - - - -BHO-{51368521-EAF6-421F-8BAB-88CC588D02DB} - (no file)BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\jKaYsPgG.dllBHO-{D23C72B9-0F38-4762-85D5-D38A413A399D} - c:\windows\system32\jkkJCsrR.dllBHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dllWebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)HKCU-Run-ATI Launchpad - (no file)HKLM-Run-F-Secure Manager - c:\program files\COGECO Security Services\Common\FSM32.EXEHKLM-Run-F-Secure TNB - c:\program files\COGECO Security Services\FSGUI\TNBUtil.exeHKLM-Run-380a59d7 - c:\windows\system32\joterqaj.dllSharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dllShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\jKaYsPgG.dllNotify-dimsntfy - (no file).------- Supplementary Scan -------.uStart Page = about:blankuInternet Connection Wizard,ShellNext = iexploreFF - ProfilePath - c:\documents and settings\Laycocks\Application Data\Mozilla\Firefox\Profiles\igth902o.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialFF - plugin: c:\documents and settings\Laycocks\Application Data\Mozilla\plugins\npPxPlay.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dllFF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-01-11 00:53:40Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-262542382-820493166-2832226997-1004\Software\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Google\Common\Google Updater\GoogleUpdaterService.exec:\windows\system32\HPZipm12.exec:\windows\ehome\RMSvc.exec:\windows\system32\wdfmgr.exec:\windows\ehome\McrdSvc.exec:\windows\system32\dllhost.exec:\windows\ehome\ehmsas.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2009-01-11 0:59:07 - machine was rebootedComboFix-quarantined-files.txt 2009-01-11 05:58:04Pre-Run: 47,490,891,776 bytes freePost-Run: 48,073,273,344 bytes free256 --- E O F --- 2008-12-19 00:22:05 Link to post Share on other sites More sharing options...
Whome Posted January 11, 2009 Author ID:46655 Share Posted January 11, 2009 As an update. I can now run Spybot S&D and Malwarebytes. I did not do any scans of them yet and at the first opertunity closed them. Reading your post again, you want me to run dds.scr again... here is its log.DDS (Ver_09-01-07.01) - NTFSx86 Run by Laycocks at 1:07:54.56 on 11/01/2009Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1045 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\ehome\RMSvc.exesvchost.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\ALCWZRD.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ATI Multimedia\main\ATISched.EXEC:\Program Files\ATI Multimedia\main\ATIDtct.EXEC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Laycocks\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = about:blankuInternet Connection Wizard,ShellNext = iexploreTB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dllTB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No FileTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileTB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dllTB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No FileuRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXEuRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXEuRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHideuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [ATI Launchpad] mRun: [uSRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdAmRun: [soundMan] SOUNDMAN.EXEmRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exemRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exemRun: [ehTray] c:\windows\ehome\ehtray.exemRun: [AlcWzrd] ALCWZRD.EXEmRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [Alcmtr] ALCMTR.EXEmRun: [F-Secure Manager] "c:\program files\cogeco security services\common\FSM32.EXE" /splashmRun: [F-Secure TNB] "c:\program files\cogeco security services\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSWmRun: [380a59d7] rundll32.exe "c:\windows\system32\joterqaj.dll",buPolicies-explorer: NoAutoUpdate = 1 (0x1)IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dllIE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLLIE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dllIE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllHandler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLLNotify: igfxcui - igfxsrvc.dllAppInit_DLLs: yvmlrx.dll frjicl.dllLSA: Authentication Packages = msv1_0 c:\windows\system32\jkkJCsrR================= FIREFOX ===================FF - ProfilePath - c:\docume~1\laycocks\applic~1\mozilla\firefox\profiles\igth902o.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialFF - plugin: c:\documents and settings\laycocks\application data\mozilla\plugins\npPxPlay.dllFF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dllFF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dllFF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dllFF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dllFF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll============= SERVICES / DRIVERS ===============R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys --> c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys [?]S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-1-12 87824]S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-1-12 85696]S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\cogeco security services\anti-virus\win2k\fsfilter.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSfilter.sys [?]S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\cogeco security services\anti-virus\win2k\fsrec.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSrec.sys [?]=============== Created Last 30 ================2009-01-11 01:05 <DIR> --d----- c:\docume~1\laycocks\applic~1\Malwarebytes2009-01-11 00:36 161,792 a------- c:\windows\SWREG.exe2009-01-11 00:36 98,816 a------- c:\windows\sed.exe2009-01-11 00:18 <DIR> --d----- C:\_OTMoveIt2009-01-09 21:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy2009-01-09 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2009-01-09 21:34 15,504 a------- c:\windows\system32\drivers\mbam.sys2009-01-09 21:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-01-09 21:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2009-01-09 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes2009-01-07 18:52 1,353,973 a--sh--- c:\windows\system32\jaqretoj.ini2009-01-07 17:19 <DIR> --d----- C:\Killer Stuff2009-01-07 17:18 <DIR> --d----- C:\!KillBox2009-01-06 22:41 <DIR> --d----- c:\docume~1\laycocks\applic~1\F-Secure2009-01-06 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure2009-01-06 19:46 1,353,973 a--sh--- c:\windows\system32\slngntlt.ini2009-01-06 18:50 1,353,973 a--sh--- c:\windows\system32\oxhunnse.ini2008-12-29 02:31 45,056 a------- c:\windows\system32\mlJAsQih.dll2008-12-29 00:39 1,762,028 a--sh--- c:\windows\system32\lfnooslc.ini2008-12-26 02:49 1,762,028 a--sh--- c:\windows\system32\jqhqfuok.ini2008-12-21 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg2008-12-20 19:46 <DIR> --d----- C:\fsaua.data2008-12-20 16:50 <DIR> --d----- c:\temp\REX812008-12-20 16:50 <DIR> --d----- c:\windows\system32\foi2008-12-20 16:41 1,668,120 a--sh--- c:\windows\system32\fyecmtfi.ini==================== Find3M ====================2008-12-29 01:08 10,740 a------- c:\windows\system32\drivers\SYMEVENT.CAT2008-12-29 01:08 805 a------- c:\windows\system32\drivers\SYMEVENT.INF2008-11-26 04:04 14,154 a------- c:\docume~1\laycocks\applic~1\wklnhst.dat2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll2008-10-16 05:20 667,648 a------- c:\windows\system32\wininet.dll2008-05-21 17:31 133,160 ac------ c:\docume~1\laycocks\applic~1\GDIPFONTCACHEV1.DAT2006-09-19 00:24 81,920 ac------ c:\docume~1\laycocks\applic~1\ezpinst.exe2006-09-19 00:24 47,360 ac------ c:\docume~1\laycocks\applic~1\pcouffin.sys2006-09-13 00:18 774,144 ac------ c:\program files\RngInterstitial.dll============= FINISH: 1:08:20.50 ===============Attach.txtAttach.txt Link to post Share on other sites More sharing options...
kahdah Posted January 11, 2009 ID:46657 Share Posted January 11, 2009 1. Please open Notepad Click Start , then Runtype in notepad in the Run Box then hit ok.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::c:\windows\system32\jaqretoj.inic:\windows\system32\slngntlt.inic:\windows\system32\oxhunnse.inic:\windows\system32\mlJAsQih.dllc:\windows\system32\lfnooslc.inic:\windows\system32\jqhqfuok.inic:\windows\system32\fyecmtfi.ini Folder::c:\windows\system32\foic:\temp\REX81 Registry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=""HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,003. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt =========Then update Malwareytes and run a quick scan on the system then quarantine what it finds and post the resulting log here please. Link to post Share on other sites More sharing options...
Whome Posted January 11, 2009 Author ID:46744 Share Posted January 11, 2009 Here is the log.ComboFix 09-01-10.02 - Laycocks 2009-01-11 10:23:49.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1071 [GMT -5:00]Running from: c:\documents and settings\Laycocks\Desktop\Combo-Fix.exeCommand switches used :: E:\CFScript.txt * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::c:\windows\system32\fyecmtfi.inic:\windows\system32\jaqretoj.inic:\windows\system32\jqhqfuok.inic:\windows\system32\lfnooslc.inic:\windows\system32\mlJAsQih.dllc:\windows\system32\oxhunnse.inic:\windows\system32\slngntlt.ini.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\temp\REX81c:\temp\REX81\BDF.logc:\windows\system32\foic:\windows\system32\fyecmtfi.inic:\windows\system32\jaqretoj.inic:\windows\system32\jqhqfuok.inic:\windows\system32\lfnooslc.inic:\windows\system32\mlJAsQih.dllc:\windows\system32\oxhunnse.inic:\windows\system32\slngntlt.ini----- BITS: Possible infected sites -----hxxp://childhe.com.((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 ))))))))))))))))))))))))))))))).2009-01-11 01:05 . 2009-01-11 01:05 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\Malwarebytes2009-01-11 00:18 . 2009-01-11 00:18 <DIR> d-------- C:\_OTMoveIt2009-01-09 21:57 . 2009-01-09 21:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy2009-01-09 21:57 . 2009-01-11 01:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-09 21:34 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-01-09 21:34 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-07 17:19 . 2009-01-09 23:57 <DIR> d-------- C:\Killer Stuff2009-01-07 17:18 . 2009-01-07 17:18 <DIR> d-------- C:\!KillBox2009-01-06 22:41 . 2009-01-06 22:41 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\F-Secure2009-01-06 22:30 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\F-Secure2008-12-21 10:46 . 2008-12-26 02:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg2008-12-20 19:46 . 2008-12-20 19:46 <DIR> d-------- C:\fsaua.data.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-01-11 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater2009-01-07 01:48 --------- d-----w c:\program files\Common Files\Symantec Shared2009-01-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec2008-12-29 06:08 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF2008-12-29 06:08 10,740 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT2008-12-21 00:42 --------- d-----w c:\program files\SopCast2008-11-28 05:16 --------- d-----w c:\program files\QuickTime2008-11-27 17:39 --------- d-----w c:\program files\iTunes2008-11-27 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}2008-11-27 17:35 --------- d-----w c:\program files\iPod2008-11-27 17:35 --------- d-----w c:\program files\Common Files\Apple2008-11-27 17:21 --------- d-----w c:\program files\Safari2008-11-26 09:04 14,154 ----a-w c:\documents and settings\Laycocks\Application Data\wklnhst.dat2008-11-24 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC2008-11-15 03:00 --------- d-----w c:\program files\Morpheus2008-05-21 22:31 133,160 -c--a-w c:\documents and settings\Laycocks\Application Data\GDIPFONTCACHEV1.DAT2006-09-19 05:24 81,920 -c--a-w c:\documents and settings\Laycocks\Application Data\ezpinst.exe2006-09-19 05:24 47,360 -c--a-w c:\documents and settings\Laycocks\Application Data\pcouffin.sys2006-09-13 05:18 774,144 -c--a-w c:\program files\RngInterstitial.dll.((((((((((((((((((((((((((((( snapshot@2009-01-11_ 0.57.10.10 ))))))))))))))))))))))))))))))))))))))))).- 2009-01-11 05:28:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat+ 2009-01-11 06:00:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat- 2009-01-11 05:28:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat+ 2009-01-11 06:00:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat- 2009-01-11 05:28:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-01-11 06:00:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-01-11 15:27:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b0.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-05-04 36864]"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-05-04 53248]"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]"ATI Launchpad"="" [bU][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-10 77891]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]"F-Secure Manager"="c:\program files\COGECO Security Services\Common\FSM32.EXE" [bU]"F-Secure TNB"="c:\program files\COGECO Security Services\FSGUI\TNBUtil.exe" [bU]"380a59d7"="c:\windows\system32\joterqaj.dll" [bU]"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]"Alcmtr"="ALCMTR.EXE" [2004-07-02 c:\windows\ALCMTR.EXE][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoAutoUpdate"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.UYVY"= c:\windows\system32\msyuv.dll "VIDC.YUY2"= ATIVYUY.DLL "VIDC.YU12"= ATIYUV12.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\Morpheus\\Morpheus.exe"="c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance Trial\\MW4.exe"="c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3776:UDP"= 3776:UDP:Media Center Extender Service"3390:TCP"= 3390:TCP:Remote Media Center ExperienceR3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys --> c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [?]S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-01-12 87824]S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-01-12 85696]S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys [?]S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys [?][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]QWAVE REG_MULTI_SZ QWAVE[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{019f7bfa-dd09-11dd-a766-00132057a270}]\Shell\AutoRun\command - E:\setupSNK.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2acb4399-dc4c-11dd-a75e-00132057a270}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654267062666774.Contents of the 'Scheduled Tasks' folder2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2009-01-11 c:\windows\Tasks\uhbjlxmv.job- c:\windows\system32\rundll32.exe [2004-08-10 07:00].- - - - ORPHANS REMOVED - - - -WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file).------- Supplementary Scan -------.uStart Page = about:blankuInternet Connection Wizard,ShellNext = iexploreFF - ProfilePath - c:\documents and settings\Laycocks\Application Data\Mozilla\Firefox\Profiles\igth902o.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialFF - plugin: c:\documents and settings\Laycocks\Application Data\Mozilla\plugins\npPxPlay.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dllFF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-01-11 10:27:59Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-262542382-820493166-2832226997-1004\Software\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Google\Common\Google Updater\GoogleUpdaterService.exec:\windows\system32\HPZipm12.exec:\windows\ehome\RMSvc.exec:\windows\system32\wdfmgr.exec:\windows\ehome\McrdSvc.exec:\windows\system32\dllhost.exec:\windows\ehome\ehmsas.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2009-01-11 10:32:41 - machine was rebooted [Laycocks]ComboFix-quarantined-files.txt 2009-01-11 15:31:43ComboFix2.txt 2009-01-11 05:59:08Pre-Run: 48,051,662,848 bytes freePost-Run: 48,030,658,560 bytes free222 --- E O F --- 2008-12-19 00:22:05 Link to post Share on other sites More sharing options...
kahdah Posted January 12, 2009 ID:46970 Share Posted January 12, 2009 Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley. Link to post Share on other sites More sharing options...
Whome Posted January 12, 2009 Author ID:47001 Share Posted January 12, 2009 Kahdah, I currently do not have an anti-virus program installed (uninstalled after infection). The machine has not been hooked up to the net and I have been working with a difrent comp. for downloads and just transfering files. Would it be OK to load an anit-virus software before proceding to the next step and allowing Malwarebytes to search for an upgrade? Link to post Share on other sites More sharing options...
kahdah Posted January 13, 2009 ID:47274 Share Posted January 13, 2009 For now let's finish the cleaning then we will get you an antivirus. Link to post Share on other sites More sharing options...
Whome Posted January 13, 2009 Author ID:47350 Share Posted January 13, 2009 Ran Malwarebytes but was unable to update, computer did not want to acquire IP address( I will work on this). Ran anyways (v1.32) and here is the log.Malwarebytes' Anti-Malware 1.32Database version: 1616Windows 5.1.2600 Service Pack 213/01/2009 4:08:38 PMmbam-log-2009-01-13 (16-08-38).txtScan type: Quick ScanObjects scanned: 63923Time elapsed: 3 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\380a59d7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\reset.cmd (Trojan.Agent) -> Quarantined and deleted successfully.When I finished running the scan, Spy-Bot came up with a choice to allow or deny a change, of System Startup global entry, Change was Balue deleted Entry: 380a59d7 old data: rundll32.exe "c:\windows\system32\joterqaj.dll".bI ran Malwarebytes again it found one infected object and here is the logMalwarebytes' Anti-Malware 1.32Database version: 1616Windows 5.1.2600 Service Pack 213/01/2009 4:20:56 PMmbam-log-2009-01-13 (16-20-56).txtScan type: Quick ScanObjects scanned: 63967Time elapsed: 1 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\380a59d7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Whome Posted January 13, 2009 Author ID:47352 Share Posted January 13, 2009 As an add on, when I start up my computer It says Error Loading c:\windows\system32\joterqaj.dllThe specified module could not be found. Link to post Share on other sites More sharing options...
kahdah Posted January 14, 2009 ID:47603 Share Posted January 14, 2009 Please uninstall Spybot for now it interferes with the removal.It blocked a registry deletion from happening that is why that error was present on startup and that is why MalwareBytes found the same item twice.Click here to download HJTInstall.exeSave HJTInstall.exe to your desktop.Doubleclick on the HJTInstall.exe icon on your desktop.By default it will install to C:\Program Files\Trend Micro\HijackThis .Click on Install.It will create a HijackThis icon on the desktop.Once installed, it will launch Hijackthis.Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.Come back here to this thread and Paste the log in your next reply.DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Link to post Share on other sites More sharing options...
Whome Posted January 14, 2009 Author ID:47725 Share Posted January 14, 2009 Here is the HJT logLogfile of HijackThis v1.99.1Scan saved at 4:53:05 PM, on 14/01/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\ehome\RMSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\ALCWZRD.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ATI Multimedia\main\ATISched.EXEC:\Program Files\ATI Multimedia\main\ATIDtct.EXEC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\Killer Stuff\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exeO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXEO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splashO4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSWO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [380a59d7] rundll32.exe "C:\WINDOWS\system32\joterqaj.dll",bO4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXEO4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXEO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLLO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.caO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabO16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cabO16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.cogeco.ca/en/OLS3.3/fscax.cabO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: F-Secure Automatic Update Agent (FSAUA) - Unknown owner - C:\Program Files\COGECO Security Services\FSAUA\program\fsaua.exe (file missing)O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Link to post Share on other sites More sharing options...
kahdah Posted January 14, 2009 ID:47753 Share Posted January 14, 2009 Please re-open Hijackthis and click on "Do a system scan only"Then place a check mark next to the entry below:O4 - HKLM\..\Run: [380a59d7] rundll32.exe "C:\WINDOWS\system32\joterqaj.dll",bNow click on Fix Checked and then close Hijackthis.========================================================Cleanup:Please download OT CLeanit from Here save it to your desktop.Double click on OT Clean it to run it.Then click on Clean up.Restart your computer when prompted.This will remove what tools we used.===============Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".Click the "Download" button to the right.Select your Platform: "Windows".Select your Language: "Multi-language".Read the License Agreement, and then check the box that says: "Accept License Agreement".Click Continue and the page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.======================Delete\uninstall anything else that we have used.System RestoreThen I will need you to reset your System Restore points.The link below shows how to create a clean restore point.How to Turn On and Turn Off System Restore in Windows XPhttp://support.microsoft.com/kb/310405/en-usIf you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual=====================================After that your log is clean. :thumbsup:The following is a list of tools and utilities that I like to suggest to people. You do not have to have all or any of them they are only suggestions.This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.Spyware Blaster - Great prevention tool to keep nasties from installing on your system.Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes. If your computer is slow Is a tutorial on what you can do if your computer is slow. Link to post Share on other sites More sharing options...
Recommended Posts