Trojan - Mebroot

Marj14

Hi there

My husband ran a symatec virus scan and discovered we have a trojan - mebroot virus. The removal instructions tell us to restart the computer using the Windows Recovery consule.

I cannot get this to work, maybe it's not on our computer.

Please help me discover if this is indeed what I have and help me to fix it.

Thank you so much.

gringo_pr

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Somethings to remember while we are working together.

1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.

I would like to get a better look at your system, please do the following so I can get some more detailed logs

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

GMER:

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

:information and logs:

In your next post I need the following

1.logs from DDS 2.log from GMER

Gringo

Marj14

gringo_pr wrote:

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Somethings to remember while we are working together.

1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.

I would like to get a better look at your system, please do the following so I can get some more detailed logs

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

GMER:

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

:information and logs:

In your next post I need the following

1.logs from DDS 2.log from GMER

Gringo

DDS (Ver_09-12-01.01) - NTFSx86
Run by OwnerM at 19:56:52.60 on Wed 01/06/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.163 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\OwnerM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.my.yahoo.com/
mStart Page = hxxp://www.my.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A}
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230081491067
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230081458786
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://pix.futureshop.ca/en/ImageUploader4.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.ca/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37943.562662037
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-5 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-5 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-18 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-21 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-5 360584]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-5 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-1-5 5832712]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-5 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-5 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-5 25736]
S3 471119fe-c054-4812-aff2-6d099777d163;471119fe-c054-4812-aff2-6d099777d163;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]

============== File Associations ===============

VBSFile="c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .vb1

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-05 22:05:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-05 22:05:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2004-01-08 00:48:47 71 --sha-w- c:\windows\system32\SYSDRVREB.SYS

============= FINISH: 19:58:21.10 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-06 20:04:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\OwnerM\LOCALS~1\Temp\fwtdqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

gringo_pr

Hello Marj14

When I had you run DDS It made two reports I need the one called attached - if need be rerun the scan and send me just that part - thanks

: Malwarebytes' Anti-Malware :

Please download

Malwarebytes' Anti-Malware to your desktop.

[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to

• Update Malwarebytes' Anti-Malware
• and Launch Malwarebytes' Anti-Malware

[*] then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform quick scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

• If you accidently close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


:Kaspersky scan:

Please go to

Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases

[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply.


:information and logs:

In your next post I need the following

1. attached report from DDS
2. log from MBAM
3. log from kaspersky
4. let me know of any problems you may have had
5. How is the computer doing now?

Gringo

Marj14

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/28/2003 3:43:56 AM
System Uptime: 1/6/2010 6:10:05 PM (1 hours ago)

Motherboard: Intel Corporation | | D845GVSR
Processor: Intel(R) Celeron(R) CPU 2.40GHz | X1 | 2399/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 15.899 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP913: 10/8/2009 8:34:24 PM - System Checkpoint
RP914: 10/9/2009 12:04:34 PM - System Checkpoint
RP915: 10/10/2009 12:48:01 PM - System Checkpoint
RP916: 10/11/2009 2:12:13 PM - System Checkpoint
RP917: 10/12/2009 3:04:47 PM - System Checkpoint
RP918: 10/13/2009 7:28:18 PM - System Checkpoint
RP919: 10/14/2009 7:38:31 PM - System Checkpoint
RP920: 10/15/2009 8:03:31 PM - System Checkpoint
RP921: 10/17/2009 11:56:03 PM - System Checkpoint
RP922: 10/19/2009 4:32:57 PM - System Checkpoint
RP923: 10/20/2009 7:45:19 PM - System Checkpoint
RP924: 10/21/2009 9:24:06 PM - System Checkpoint
RP925: 10/23/2009 7:03:02 PM - System Checkpoint
RP926: 10/24/2009 9:22:48 AM - Avg8 Update
RP927: 10/25/2009 11:32:38 AM - System Checkpoint
RP928: 10/26/2009 12:16:06 PM - System Checkpoint
RP929: 10/27/2009 1:02:13 PM - System Checkpoint
RP930: 10/27/2009 6:55:13 PM - Restore Operation
RP931: 10/27/2009 10:03:29 PM - Restore Operation
RP932: 10/30/2009 7:24:51 PM - System Checkpoint
RP933: 10/31/2009 8:41:42 PM - System Checkpoint
RP934: 11/1/2009 4:13:19 PM - Installed Windows XP KB932716-v2.
RP935: 11/1/2009 4:14:38 PM - Installed Windows XP KB945060-v3.
RP936: 11/2/2009 7:46:22 PM - System Checkpoint
RP937: 11/3/2009 7:56:05 PM - System Checkpoint
RP938: 11/4/2009 7:59:41 PM - System Checkpoint
RP939: 11/6/2009 8:12:51 PM - System Checkpoint
RP940: 11/7/2009 8:45:56 PM - System Checkpoint
RP941: 11/9/2009 5:59:33 PM - System Checkpoint
RP942: 11/10/2009 7:18:48 PM - System Checkpoint
RP943: 11/11/2009 7:34:52 PM - System Checkpoint
RP944: 11/12/2009 9:13:09 PM - System Checkpoint
RP945: 11/13/2009 10:06:32 PM - System Checkpoint
RP946: 11/15/2009 10:55:30 AM - System Checkpoint
RP947: 11/16/2009 9:20:35 AM - Avg8 Update
RP948: 11/17/2009 7:36:28 PM - System Checkpoint
RP949: 11/18/2009 8:02:28 PM - System Checkpoint
RP950: 11/19/2009 8:15:28 PM - System Checkpoint
RP951: 11/20/2009 8:33:46 PM - System Checkpoint
RP952: 11/21/2009 8:54:51 PM - System Checkpoint
RP953: 11/22/2009 9:10:21 PM - System Checkpoint
RP954: 11/23/2009 11:59:19 PM - System Checkpoint
RP955: 11/25/2009 5:20:05 PM - System Checkpoint
RP956: 11/26/2009 7:07:01 PM - System Checkpoint
RP957: 11/27/2009 8:00:34 PM - System Checkpoint
RP958: 11/28/2009 8:25:52 PM - System Checkpoint
RP959: 11/29/2009 9:15:44 PM - System Checkpoint
RP960: 11/30/2009 9:32:47 PM - System Checkpoint
RP961: 12/2/2009 11:27:40 PM - System Checkpoint
RP962: 12/4/2009 5:21:56 PM - System Checkpoint
RP963: 12/6/2009 1:32:09 AM - System Checkpoint
RP964: 12/8/2009 7:17:10 PM - System Checkpoint
RP965: 12/9/2009 8:10:12 PM - System Checkpoint
RP966: 12/10/2009 8:17:07 PM - System Checkpoint
RP967: 12/11/2009 10:53:38 PM - System Checkpoint
RP968: 12/12/2009 9:50:18 AM - Avg8 Update
RP969: 12/12/2009 9:51:48 AM - Avg8 Update
RP970: 12/13/2009 12:20:08 PM - System Checkpoint
RP971: 12/14/2009 7:21:49 PM - System Checkpoint
RP972: 12/15/2009 10:49:58 PM - System Checkpoint
RP973: 12/17/2009 7:29:36 PM - System Checkpoint
RP974: 12/18/2009 11:45:19 PM - System Checkpoint
RP975: 12/20/2009 11:41:44 AM - System Checkpoint
RP976: 12/21/2009 5:39:25 PM - System Checkpoint
RP977: 12/22/2009 6:00:26 PM - System Checkpoint
RP978: 12/23/2009 7:37:05 PM - System Checkpoint
RP979: 12/24/2009 9:16:27 AM - Avg8 Update
RP980: 12/25/2009 1:56:53 PM - System Checkpoint
RP981: 12/27/2009 7:07:13 PM - System Checkpoint
RP982: 12/28/2009 7:12:55 PM - System Checkpoint
RP983: 12/29/2009 10:05:18 PM - System Checkpoint
RP984: 12/31/2009 10:30:31 PM - System Checkpoint
RP985: 1/1/2010 8:59:11 AM - Avg8 Update
RP986: 1/2/2010 1:10:24 PM - System Checkpoint
RP987: 1/3/2010 2:10:15 PM - System Checkpoint
RP988: 1/4/2010 8:37:48 PM - System Checkpoint
RP989: 1/5/2010 9:22:14 AM - Avg8 Update
RP990: 1/5/2010 5:04:21 PM - Installed AVG 9.0

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11
Ahead InCD
Ahead NeroMediaPlayer
Apple Software Update
AutoUpdate
AVG 9.0
CCScore
Choice Guard
CreataCard Plus 2
DivX
eMule
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSTOOLS
essvatgt
Filzip 3.01
Google Video Uploader
Greetings Workshop
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Intel Application Accelerator
Intel(R) Extreme Graphics Driver Software
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Q903235
Java(TM) 6 Update 16
Java(TM) SE Runtime Environment 6
Kazaa Lite K++ v2.4.3
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare software
KODAK Gallery Upload Software
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Excel 97
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Picture It! Photo Premium 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft Word 97
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mp3 To Wave Converter 1.19
MSVCRT
MSXML 4.0 SP2 (KB927978)
MUSICMATCH® Jukebox
Nero - Burning Rom
netbrdg
OfotoXMI
PowerDVD
QuickTime
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB960714)
Segoe UI
SFR
SHASTA
skin0001
SKINXSDK
Spybot - Search & Destroy
staticcr
SWF Opener
Total Video Converter 3.11 070908
Tweak UI
VBA (2627.01)
VideoLAN VLC media player 0.7.0
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

1/6/2010 6:05:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/6/2010 6:05:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
1/6/2010 6:05:49 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2010 6:05:49 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2010 6:05:49 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2010 6:05:49 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2010 6:05:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/6/2010 6:05:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/3/2010 1:01:04 PM, error: System Error [1003] - Error code 10000050, parameter1 ff5ea098, parameter2 00000001, parameter3 ff6aa7da, parameter4 00000000.
1/1/2010 9:47:03 AM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/1/2010 9:01:42 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.

==== End Of File ===========================
\Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/6/2010 10:03:47 PM
mbam-log-2010-01-06 (22-03-47).txt

Scan type: Quick Scan
Objects scanned: 142328
Time elapsed: 19 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, January 7, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 07, 2010 03:23:04
Records in database: 3331930

---

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 81817
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:06:07

No threats found. Scanned area is clean.

Selected area has been scanned.


Well those 2 scans say there's no problems. There is something wrong though.

While I was working on these, the AVG logo in my taskbar appeared twice, it's never done that before. The Java logo also appeared, and I was not using anything that needed it to. Also, when I started the K scan, the program had an Windows error and shut down. I had to start it over. When my K scan was done, it also gave me the message to go to the virus encyclopedia to disable by pop up blocker. Could the pop up blocker have stopped results from coming through?

gringo_pr

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule
Kazaa Lite

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

Cyber Education Letter
File sharing infects 500,000 computers
USAToday


I would recommend that you uninstall eMule Kazaa Lite, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java(TM) SE Runtime Environment 6


and click on remove


Your Java is out of date.

It can be updated by the Java control panel

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
• An update should begin;
• follow the prompts.

Please download mbr.exe from here to your desktop.

Open NOTEPAD and copy/paste the text in the quotebox below into it:

@echo off
mbr.exe -t
start mbr.log
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Place fix.bat next to mbr.exe & then double click to run it. A log file should open.

Post the contents of that log in reply.

gringo

Marj14

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xFFBAA908]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0xffbaa908
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff743220
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

gringo_pr

Open NOTEPAD and copy/paste the text in the quotebox below into it:

@echo off
mbr.exe -f
start mbr.log
del %0

Save this as fix1.bat Choose to "Save type as - All Files"
It should look like this:
Place fix1.bat next to mbr.exe & then double click to run it. A log file should open.

Post the contents of that log in reply.

Marj14

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0xffbaa908
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff743220
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

gringo_pr

i would like you to do this one again to verify if it was fixed

Open NOTEPAD and copy/paste the text in the quotebox below into it:

@echo off
mbr.exe -t
start mbr.log
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Place fix.bat next to mbr.exe & then double click to run it. A log file should open.

Post the contents of that log in reply.

gringo

Marj14

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sdcplh.sys IdeChnDr.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

gringo_pr

:run combofix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

Marj14

I was following the steps, I got to the activate combo fix one. I hut run, and instead of the combo fix screen coming up I got an AVG message (I couldn't disable it) saying we have detected malware, quarantine or allow it. Three different times. c\32788r22fwjfw\n.pf
c\32788r22fwjf\explore.exe and c\32788r22fwjfw\nircmd.cfxxe.

I quarantined them, then another one came up pointing to the combo fix app you had me put on the desktop. So I said quarantine that too.

Did I screw up?

gringo_pr

run combofix , if you need the recovery console then it will download

gringo

Marj14

You're too quick, check my edit please as I saw that as I was reading the guide.

gringo_pr

please allow this to download if your AV complains Please allow - all the tools I ask you to download are free of Viruses

I got an AVG message (I couldn't disable it)

To disable the Resident Shield, please:

• Open AVG User Interface.
• Double-click on the Resident Shield.
• Un-tick the option Resident Shield active.

Marj14

Combo fix has been running since noon EST yesterday, it's still on the "preparing log" stage. Is this normal? It was 7:30 EST when I last checked before leaving for work.

gringo_pr

Hello Marj14

no that is not normal please, close it.

combofix report

I would like to see if it made a report

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box

C:\ComboFix.txt

• click ok
• copy and paste the report into this topic for me to review

If you see the report please post it if no report opens please let me know so I can make some adjustments



Gringo

Marj14

As soon as I get home 6p.m. ish I will check out the situation and post.

gringo_pr

don't worry I will be online till about 12AM Est

Marj14

ComboFix 10-01-04.01 - OwnerM 01/10/2010 12:46:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.291 [GMT -5:00]
Running from: C:\Documents and Settings\OwnerM\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Images
C:\RECYCLER\S-1-5-21-3928787509-3924064129-568730901-1012
C:\WINDOWS\BackUp
C:\WINDOWS\BackUp\S\50608000.DAT
C:\WINDOWS\BackUp\S\50816000.DAT
C:\WINDOWS\BackUp\TB040522.DAT
C:\WINDOWS\patch.exe
C:\WINDOWS\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-08 23:45:57 . 2010-01-08 23:45:57 152576 ----a-w- C:\Documents and Settings\OwnerM\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-08 23:45:46 . 2010-01-08 23:45:46 79488 ----a-w- C:\Documents and Settings\OwnerM\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-07 02:42:55 . 2010-01-07 02:42:55

---

d

---

w- C:\Documents and Settings\OwnerM\Application Data\Malwarebytes
2010-01-07 02:42:43 . 2009-12-30 19:55:24 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-01-07 02:42:40 . 2010-01-07 02:42:40

---

d

---

w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-07 02:42:39 . 2009-12-30 19:54:58 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-01-07 02:42:38 . 2010-01-07 02:42:51

---

d

---

w- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-06 23:19:08 . 2010-01-06 23:19:08

---

d

---

w- C:\Documents and Settings\HelpAssistant\WINDOWS
2010-01-06 23:14:35 . 2010-01-06 23:14:35

---

d

---

w- C:\Documents and Settings\HelpAssistant\Contacts
2010-01-06 23:13:38 . 2010-01-06 23:13:42

---

d

---

w- C:\Documents and Settings\HelpAssistant\.housecall6.6
2010-01-06 04:46:01 . 2010-01-06 23:19:08

---

d

---

w- C:\Documents and Settings\HelpAssistant\UserData
2010-01-05 22:06:06 . 2010-01-05 22:06:20

---

d

---

w- C:\$AVG
2010-01-05 22:05:50 . 2010-01-05 22:05:50 360584 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2010-01-05 22:05:50 . 2010-01-05 22:05:50 25608 ----a-w- C:\WINDOWS\system32\drivers\AVGIDSxx.sys
2010-01-05 22:05:50 . 2010-01-05 22:05:50 161800 ----a-w- C:\WINDOWS\system32\drivers\avgrkx86.sys
2010-01-05 22:04:49 . 2010-01-05 22:04:50

---

d

---

w- C:\Documents and Settings\All Users\Application Data\avg9
2010-01-01 20:49:02 . 2010-01-01 20:49:02

---

d

---

w- C:\Documents and Settings\OwnerJ\Local Settings\Application Data\Help
2010-01-01 13:51:56 . 2010-01-08 23:28:38

---

d

---

w- C:\Documents and Settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 23:52:26 . 2004-02-12 21:23:45

---

d

---

w- C:\Program Files\Java
2010-01-08 23:38:51 . 2004-01-03 21:30:36

---

d

---

w- C:\Program Files\Kazaa Lite K++
2010-01-08 23:38:21 . 2006-01-19 21:40:20

---

d

---

w- C:\Program Files\eMule
2010-01-05 22:05:51 . 2008-05-18 17:14:19 12464 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2010-01-05 22:05:39 . 2008-05-18 17:13:57 333192 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2010-01-05 22:05:38 . 2007-01-21 17:46:23 28424 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
2010-01-05 22:04:53 . 2008-05-18 17:13:55

---

d

---

w- C:\Program Files\AVG
2010-01-05 16:39:14 . 2004-07-25 02:03:09

---

d

---

w- C:\Program Files\videofixer
2009-12-16 23:48:27 . 2006-05-05 00:23:08

---

d

---

w- C:\Program Files\Spybot - Search & Destroy
2009-12-16 23:46:23 . 2006-05-05 00:23:11

---

d

---

w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 03:25:22 . 2009-11-18 03:25:22

---

d

---

w- C:\Documents and Settings\OwnerM\Application Data\Kodak
2009-11-16 02:33:45 . 2009-11-16 02:33:45

---

d

---

w- C:\Documents and Settings\OwnerM\Application Data\KodakCredentialStore
2009-11-16 02:32:57 . 2009-11-16 02:32:57

---

d

---

w- C:\Documents and Settings\OwnerM\Application Data\Skinux
2009-11-15 04:35:49 . 2009-11-15 04:35:49 102328 ----a-w- C:\Documents and Settings\OwnerM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-01 20:11:43 . 2009-11-01 20:11:43 77824 -c--a-w- C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-11-01 20:11:43 . 2009-11-01 20:11:41 225280 -c--a-w- C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe
2009-11-01 20:09:25 . 2009-11-01 20:09:25 45056 -c--a-w- C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2009-11-01 20:08:57 . 2009-11-01 20:08:49 225280 -c--a-w- C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe
2009-11-01 20:06:38 . 2009-11-01 20:06:38 1187840 ----a-w- C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_494da\EasyShrx.Dll
2009-11-01 20:06:17 . 2009-11-01 20:06:17 114688 -c--a-w- C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.30.1.dll
2009-10-20 16:54:20 . 2009-10-20 16:54:20 59992 -c--a-w- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2004-01-08 00:48:47 . 2004-01-03 21:42:20 71 --sha-w- C:\WINDOWS\system32\SYSDRVREB.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="C:\PROGRA~1\AVG\AVG9\avgtray.exe" [2010-01-05 22:05:07 2033432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-11 09:17:36 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-05 22:05:51 12464 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Plus 2 Forget Me Not Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CreataCard Plus 2 Forget Me Not Reminders.lnk
backup=C:\WINDOWS\pss\CreataCard Plus 2 Forget Me Not Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason Hayward^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Jason Hayward\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason Hayward^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Jason Hayward\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marjorie Hayward^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
path=C:\Documents and Settings\Marjorie Hayward\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marjorie Hayward^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Marjorie Hayward\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marjorie Hayward^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Marjorie Hayward\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38:00 34672 -c--a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-10-16 04:05:58 114688 ----a-w- C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-10-16 04:18:02 155648 ----a-w- C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31:59 208952 -c--a-w- C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2003-07-01 16:56:40 1130546 -c--a-w- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32:32 50688 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-01-19 17:54:56 5674352 ----a-w- C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50:42 155648 ----a-w- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2003-03-31 12:00:00 455168 -c--a-w- C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2003-03-31 12:00:00 455168 -c--a-w- C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2003-04-24 21:53:54 54784 -c--a-w- C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07:20 2260480

---

w- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17:36 149280 ----a-w- C:\Program Files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 AVGIDSAgent;AVG9IDSAgent;C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]

gringo_pr

Hello

can you please let me know if that is the whole log?

if there is more just send me the part that is missing thanks

gringo

Marj14

That's all I've got.

gringo_pr

Hello

It may be helpful for you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Vista and Win 7 Users please Right Click and run as Admin all programs that I ask you to run

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Please download

Malwarebytes' Anti-Malware to your desktop.

[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to

• Update Malwarebytes' Anti-Malware
• and Launch Malwarebytes' Anti-Malware

[*] then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform quick scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

• If you accidently close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

:Kaspersky scan:

Please go to

Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases

[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply.


"information and logs"

In your next post I need the following

1. Log From MBAM
2. Log From Kaspersky
3. let me know of any problems you may have had
4. How is the computer doing now?

Gringo

Marj14

Malwarebytes' Anti-Malware 1.44
Database version: 3545
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/11/2010 9:58:39 PM
mbam-log-2010-01-11 (21-58-39).txt

Scan type: Quick Scan
Objects scanned: 132489
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---

KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 12, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 12, 2010 02:51:16
Records in database: 3300157

---

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 72328
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:30:24

No threats found. Scanned area is clean.

Selected area has been scanned.

*********

The TFC seemed to have clear files from the "Help Assistant" account that we did not set up. This account is one reason that we thought we had the Mebroot Trojan.

We can't really assess how the computer is running as all I am doing is trying to fix these problems.

One thing that kept happening is the windows installer kept popping up, telling me to put in the net zero cd.

gringo_pr

We can't really assess how the computer is running as all I am doing is trying to fix these problems.

check it out and let me know if you have any problems

One thing that kept happening is the windows installer kept popping up, telling me to put in the net zero cd. If you don't use it try to uninstall it


let me know after you check out the computer


gringo

Marj14

From what you can see, should the computer be clear? What about this Windows Assistant bogus account? Can we stop that windows installer from coming up?

gringo_pr

What about this Windows Assistant bogus account?

this is not a bogus account ( has to do with remote assistance ) but not normaly enabled If you simply want to disable this user, please follow these steps: - Right Click on My Computer and select Manage - Within the Computer Manager window, double click on Local Users and Groups - Double click on the Users folder - On the right side of that window, you will see all of the available user accounts within your computer. Right Click on the HelpAssistant user account and select Properties - In the HelpAssistant Properties window, you will see an option to disable the account. Place a check mark in the box next to that option - Click OK twice to close those windows - Close the Computer Management window - Restart the computer

Can we stop that windows installer from coming up?

I would like you to try this

please download the >>windows installer cleanup utility<<

1.choose run and install this program 2. after it has installed go to start -> all programs and find

windows installer cleanup utility
3. in the window that opens up choose net zero in the list
4. click remove
5. click ok



Let me know if this has helped your problems

gringo

Marj14

- Within the Computer Manager window, double click on Local Users and Groups

- This is not in the choices.

One more thing. Quite often when I close off with the x at the top of the screen, it opens a million windows that I need to shut down one by one. Can you help me fix that? Rogers called me last week and said there was a virus in my yahoo account. My Yahoo is my homepage.

gringo_pr

Windows Assistant bogus account

one way

1. click Start,
2. click Control Panel,
3. click Performance and Maintenance,
4. and then click System.
5. On the Advanced tab, under User Profiles, click Settings.
6. Under Profiles stored on this computer, click the user profile you want to delete, and then click Delete.

here is another way

1. Right-click

My Computer and select Properties to bring up the System Properties panel.

2. Click the Advanced tab and then, in the User Profiles area, click the Settings button.

3. From the User Profile dialog box select the individual profile you want to delete.

4. Click the Delete button and confirm the action.

5. Click OK.


opens a million windows that I need to shut down one by one. Can you help me fix that?

right click the IE icon on the desktop
and choose Start Without Add-ons?
Or go to Start | All Programs | Accessories | System Tools | Internet
Explorer (No Add-ons).

2. Tools | Internet Options | Advanced
Scroll to the bottom and click Reset Internet Explorer Settings.

Rogers called me last week and said there was a virus in my yahoo account

who is Rogers?

Marj14

In my control panel, user accounts, there is no windows assistant, maybe I got rid of it using that clean up too.

I can't delete the million windows the way you're telling me.

Rogers is my internet provider.

Computer is doing well besides these, we're almost ready to say goodbye, lol.