GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

xp internet security--can't run OTL etc.

View previous topic View next topic Go down

xp internet security--can't run OTL etc.

Post by nicarp1 on Sat May 08, 2010 1:30 am

Hi, Geek Police--

I have the XP Internet Security infection. I had it a couple of weeks ago, and got rid of it by downloading a registry fix from bleepingcomputer.com then running MalwareBytes by starting it from a flash drive. The MalwareBytes scan took two days (!) but it successfully got rid of the infection.

Now it's back. I tried doing the above all over again, but this time it wouldn't run the registry fix and I can't open MalwareBytes.

Then I tried following the directions you give for updating Java and running OTL and posting the log here so you can help. However, the virus is keeping me from running either the Java update or OTL! So now I'm at a complete loss--can't do the OTL scan, can't open MalwareBytes, etc.

You kind people helped me one other time (different virus that acted pretty much the same), and I'm hoping you can do the same again. Then once we get it cleaned, I'm hoping I can get your advice on what can keep it away! Sorry I can't post the log, and I'm ready to be patient and get this sucker cleaned outta here. Thanks very much, I'll wait for your answer whenever you're able to give it.

nicarp1

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Sat May 08, 2010 3:06 am

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Sat May 08, 2010 4:16 am

Thanks for taking the time to work with me. Unfortunately, after downloading combofix, I can't run it. When I double-click the combofix icon, I get one of the XP Internet Security "error" messages that says: "Application cannot be executed. The file combofix.exe is infected. Do you want to activate your antivirus software now?" So I cannot run the program, or post the log. What next? Thanks again--

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Sat May 08, 2010 4:31 am

RKill by Grinler
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
This only kills the active infection, the actual infection will not be gone.

Then, try ComboFix again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Sat May 08, 2010 5:14 pm

I'm sorry, but it didn't work. The first link (#1) brought a 404 error. I downloaded both the others and still no luck. When I double-click on Combofix, a little blank field appears for a second or so before the standard infection error message appears ("Application cannot be executed. The file combofix.exe is infected. Do you want to activate your antivirus software now?"). Yikes, it's a pernicious little bugger. What next?

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Sat May 08, 2010 6:04 pm

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try again please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Sat May 08, 2010 7:25 pm

I forgot to hit F8 and my machine started normally, but then I tried to run the rkill tool as soon as its icon appeared and it ran successfully! I also ran Combofix, and here's the log:



ComboFix 10-05-07.07 - NicMelEm 05/08/2010 14:08:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1537 [GMT -5:00]
Running from: c:\documents and settings\NicMelEm\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\NicMelEm\Local Settings\Application Data\wpyefbmfh
c:\documents and settings\NicMelEm\Local Settings\Application Data\wpyefbmfh\wcafqmttssd.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif

.
((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-04-16 02:24 . 2010-04-16 02:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-15 18:56 . 2010-04-15 18:56 -------- d-----w- c:\documents and settings\NicMelEm\Local Settings\Application Data\avG
2010-04-15 18:56 . 2010-04-15 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 00:47 . 2008-12-22 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 21:55 . 2010-04-02 02:17 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\Dropbox
2010-04-29 20:39 . 2008-12-22 03:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2008-12-22 03:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 19:34 . 2009-11-26 02:55 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-16 03:12 . 2009-07-24 02:47 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 03:11 . 2008-08-23 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 03:11 . 2009-07-24 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-15 02:45 . 2010-04-05 23:47 -------- d-----w- c:\program files\ZipGenius 6
2010-04-11 19:38 . 2006-02-22 16:27 -------- d-----w- c:\program files\Google
2010-04-07 02:03 . 2008-12-13 05:14 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\uTorrent
2010-04-05 23:51 . 2010-04-05 23:48 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\ZipGenius
2010-04-02 02:18 . 2010-04-02 02:18 89831 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\Uninstall.exe
2010-03-27 21:58 . 2008-01-16 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-27 20:55 . 2007-08-10 22:50 55608 ----a-w- c:\documents and settings\NicMelEm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-26 22:45 . 2010-03-26 22:45 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-26 22:44 . 2010-03-26 22:44 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-26 22:44 . 2010-03-26 22:44 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-26 22:44 . 2010-03-26 22:44 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-26 22:44 . 2010-03-26 22:44 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-26 22:44 . 2006-02-22 16:19 -------- d-----w- c:\program files\Common Files\Real
2010-03-26 22:44 . 2006-02-22 16:19 -------- d-----w- c:\program files\Real
2010-03-26 22:44 . 2010-03-26 22:44 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-26 02:46 . 2010-03-26 02:44 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\U3
2010-03-20 21:56 . 2007-10-14 20:12 -------- d-----w- c:\program files\Sony Setup
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 17:18 . 2009-09-02 22:00 69 ----a-w- c:\documents and settings\NicMelEm\jagex_runescape_preferences2.dat
2010-02-17 16:55 . 2008-09-28 19:57 41 ----a-w- c:\documents and settings\NicMelEm\jagex_runescape_preferences.dat
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-08 00:15 . 2010-02-08 00:15 144160 ----a-w- c:\documents and settings\NicMelEm\Application Data\Move Networks\uninstall.exe
2010-02-08 00:15 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\NicMelEm\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-08 00:15 . 2010-02-08 00:15 1436320 ----a-w- c:\documents and settings\NicMelEm\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2007-06-09 22:30 . 2007-06-09 22:31 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-03-13 02:52 . 2009-03-13 02:52 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-13 02:52 . 2009-03-13 02:52 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-13 02:52 . 2009-03-13 02:52 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-06-18 18:16 . 2009-06-18 18:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-06-18 18:36 . 2009-06-18 18:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-10-14 19:21 . 2007-10-14 19:21 146364 --sh--r- c:\windows\MsxwCtrl.dll
2006-03-05 03:01 . 2006-02-28 02:20 56 --sha-r- c:\windows\system32\4645E496A2.sys
2006-03-05 03:01 . 2006-02-28 02:20 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-11-19 1851392]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2007-08-22 188416]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2007-08-22 131072]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2007-08-22 122880]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-08-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-08-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-08-22 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-26 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2008-12-9 1783128]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-10-30 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_server.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [4/2/2006 7:00 PM 62359]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/26/2009 1:06 PM 108289]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [6/23/2004 1:13 PM 10653]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1c9f28a33a0a246;Google Update Service (gupdate1c9f28a33a0a246);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 11:06 AM 133104]
S3 BCORETH5;BCORETH5 NDIS Protocol Driver;\??\d:\bcoreth5.sys --> d:\BCORETH5.SYS [?]
S3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [4/2/2006 7:00 PM 4538]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [4/2/2006 7:00 PM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [4/2/2006 7:00 PM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [4/2/2006 7:00 PM 111180]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [3/8/2009 8:37 PM 17920]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [12/13/2008 9:09 PM 18432]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 TunRDriverV32;TunRDriverV32;c:\windows\system32\drivers\TunRDriverV32.sys [1/18/2008 10:17 PM 513152]
S3 ZZZMPR5;ZZZMPR5 NDIS Protocol Driver;\??\d:\zzzmpr5.sys --> d:\ZZZMPR5.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 16:06]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 16:06]

2010-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2124952382-2875375866-2056290513-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-05-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2124952382-2875375866-2056290513-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\NicMelEm\Application Data\Mozilla\Firefox\Profiles\hc6coxq8.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\NicMelEm\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKCU-Run-ahfhhkkr - c:\documents and settings\NicMelEm\Local Settings\Application Data\wpyefbmfh\wcafqmttssd.exe
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKLM-Run-BCROReminder - c:\program files\ByteCrusher\RegistryOptimax\BCRO.exe
HKLM-Run-ahfhhkkr - c:\documents and settings\NicMelEm\Local Settings\Application Data\wpyefbmfh\wcafqmttssd.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-05-08 14:18:27
ComboFix-quarantined-files.txt 2010-05-08 19:18

Pre-Run: 2,875,793,408 bytes free
Post-Run: 3,150,905,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7B6D21E2E12C8701BA702AC3A85E013A

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Sat May 08, 2010 7:51 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    DirLook::
    c:\documents and settings\All Users\Application Data\avG
    c:\documents and settings\NicMelEm\Local Settings\Application Data\avG
    c:\documents and settings\LocalService\Local Settings\Application Data\avG

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Sat May 08, 2010 8:46 pm

Okay, below is the log from this most recent Combofix scan.

Also, should I purchase the upgrade version of MalwareBytes or some other similar protection program, since the free Avira Antivir doesn't seem to be doing the trick? This is my second time in a couple of weeks getting this infection. Please advise.

Here's the log:

ComboFix 10-05-07.07 - NicMelEm 05/08/2010 15:27:20.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1424 [GMT -5:00]
Running from: c:\documents and settings\NicMelEm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NicMelEm\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-04-16 02:24 . 2010-04-16 02:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-15 18:56 . 2010-04-15 18:56 -------- d-----w- c:\documents and settings\NicMelEm\Local Settings\Application Data\avG
2010-04-15 18:56 . 2010-04-15 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 00:47 . 2008-12-22 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 21:55 . 2010-04-02 02:17 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\Dropbox
2010-04-29 20:39 . 2008-12-22 03:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2008-12-22 03:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 19:34 . 2009-11-26 02:55 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-16 03:12 . 2009-07-24 02:47 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 03:11 . 2008-08-23 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 03:11 . 2009-07-24 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-15 02:45 . 2010-04-05 23:47 -------- d-----w- c:\program files\ZipGenius 6
2010-04-11 19:38 . 2006-02-22 16:27 -------- d-----w- c:\program files\Google
2010-04-07 02:03 . 2008-12-13 05:14 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\uTorrent
2010-04-05 23:51 . 2010-04-05 23:48 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\ZipGenius
2010-04-02 02:18 . 2010-04-02 02:18 89831 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\Uninstall.exe
2010-03-27 21:58 . 2008-01-16 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-27 20:55 . 2007-08-10 22:50 55608 ----a-w- c:\documents and settings\NicMelEm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-26 22:45 . 2010-03-26 22:45 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-26 22:45 . 2010-03-26 22:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-26 22:44 . 2010-03-26 22:44 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-26 22:44 . 2010-03-26 22:44 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-26 22:44 . 2010-03-26 22:44 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-26 22:44 . 2010-03-26 22:44 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-26 22:44 . 2006-02-22 16:19 -------- d-----w- c:\program files\Common Files\Real
2010-03-26 22:44 . 2006-02-22 16:19 -------- d-----w- c:\program files\Real
2010-03-26 22:44 . 2010-03-26 22:44 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-26 02:46 . 2010-03-26 02:44 -------- d-----w- c:\documents and settings\NicMelEm\Application Data\U3
2010-03-20 21:56 . 2007-10-14 20:12 -------- d-----w- c:\program files\Sony Setup
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 17:18 . 2009-09-02 22:00 69 ----a-w- c:\documents and settings\NicMelEm\jagex_runescape_preferences2.dat
2010-02-17 16:55 . 2008-09-28 19:57 41 ----a-w- c:\documents and settings\NicMelEm\jagex_runescape_preferences.dat
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-08 00:15 . 2010-02-08 00:15 144160 ----a-w- c:\documents and settings\NicMelEm\Application Data\Move Networks\uninstall.exe
2010-02-08 00:15 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\NicMelEm\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-08 00:15 . 2010-02-08 00:15 1436320 ----a-w- c:\documents and settings\NicMelEm\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2007-06-09 22:30 . 2007-06-09 22:31 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-03-13 02:52 . 2009-03-13 02:52 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-13 02:52 . 2009-03-13 02:52 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-13 02:52 . 2009-03-13 02:52 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-06-18 18:16 . 2009-06-18 18:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-06-18 18:36 . 2009-06-18 18:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-10-14 19:21 . 2007-10-14 19:21 146364 --sh--r- c:\windows\MsxwCtrl.dll
2006-03-05 03:01 . 2006-02-28 02:20 56 --sha-r- c:\windows\system32\4645E496A2.sys
2006-03-05 03:01 . 2006-02-28 02:20 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\avG ----


---- Directory of c:\documents and settings\LocalService\Local Settings\Application Data\avG ----


---- Directory of c:\documents and settings\NicMelEm\Local Settings\Application Data\avG ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-11-19 1851392]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2007-08-22 188416]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2007-08-22 131072]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2007-08-22 122880]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-08-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-08-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-08-22 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-26 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2008-12-9 1783128]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-10-30 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_server.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [4/2/2006 7:00 PM 62359]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/26/2009 1:06 PM 108289]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [6/23/2004 1:13 PM 10653]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1c9f28a33a0a246;Google Update Service (gupdate1c9f28a33a0a246);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 11:06 AM 133104]
S3 BCORETH5;BCORETH5 NDIS Protocol Driver;\??\d:\bcoreth5.sys --> d:\BCORETH5.SYS [?]
S3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [4/2/2006 7:00 PM 4538]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [4/2/2006 7:00 PM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [4/2/2006 7:00 PM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [4/2/2006 7:00 PM 111180]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [3/8/2009 8:37 PM 17920]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [12/13/2008 9:09 PM 18432]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 TunRDriverV32;TunRDriverV32;c:\windows\system32\drivers\TunRDriverV32.sys [1/18/2008 10:17 PM 513152]
S3 ZZZMPR5;ZZZMPR5 NDIS Protocol Driver;\??\d:\zzzmpr5.sys --> d:\ZZZMPR5.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 16:06]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 16:06]

2010-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2124952382-2875375866-2056290513-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-05-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2124952382-2875375866-2056290513-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\NicMelEm\Application Data\Mozilla\Firefox\Profiles\hc6coxq8.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\NicMelEm\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-08 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\documents and settings\NicMelEm\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lexicon\Omega\Driver\ASIOSysTray.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-05-08 15:43:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-08 20:43
ComboFix2.txt 2010-05-08 19:18

Pre-Run: 3,155,664,896 bytes free
Post-Run: 3,122,946,048 bytes free

- - End Of File - - 403A1916EF4E336E07EEDA07C8752ABE

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Sun May 09, 2010 2:29 am

Yes. You can get the upgrade for MBAM, to pair with Avira Free. That should help things quite a bit.

Please open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Sun May 09, 2010 5:08 pm

So it's okay to run the purchased MBAM and Avira Free both? I'd heard that you should never have more than one such program at a time. But you're the expert. And whatever it takes to keep this stuff away...

The quick scan with MBAM said there were no malicious objects. Below is the log .



Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4083

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/9/2010 12:05:00 PM
mbam-log-2010-05-09 (12-05-00).txt

Scan type: Quick scan
Objects scanned: 123277
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Sun May 09, 2010 5:48 pm

Antivirus realtime protection and anti-malware realtime protection are two different things.

Malwarebytes' Anti-Malware is not an antivirus. So, in this case, MBAM's realtime protection shall not interfere with any other realtime protection.




Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Mon May 10, 2010 4:34 am

Thanks for the advice on MBAM/Avira. Here's the ESET log:



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=563acdb93587f74ea228a3419d02566d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-10 04:24:33
# local_time=2010-05-09 11:24:33 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 42617893 42617893 0 0
# compatibility_mode=1797 16775141 100 100 97940 47399781 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=198890
# found=2
# cleaned=2
# scan_time=11859
C:\Documents and Settings\NicMelEm\Application Data\Sun\Java\Deployment\cache\6.0\57\36d3f0f9-7f062661 probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\NicMelEm\Local Settings\Application Data\wpyefbmfh\wcafqmttssd.exe.vir a variant of Win32/Kryptik.EDN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Mon May 10, 2010 3:22 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Tue May 11, 2010 2:38 am

Thanks. Here's that log from SecurityCheck:



Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Adobe After Effects CS3 Presets
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 14
Java(TM) 6 Update 3
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
Mozilla Firefox (Firefox, Opera, Netscape only..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Tue May 11, 2010 3:06 am

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.

==========================

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

===========================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version.
  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • [You must be registered and logged in to see this link.]: free and excellent firewall.


AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by nicarp1 on Tue May 11, 2010 3:14 pm

No more questions--

Thank you so much for all your thorough and patient help!

I will review your recommendations.

Thanks again--you're a lifesaver--

nicarp1
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-05-08
OS : xp
Points : 24133
# Likes : 0

View user profile

Back to top Go down

Re: xp internet security--can't run OTL etc.

Post by Dr Jay on Tue May 11, 2010 6:02 pm

You're welcome.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum