1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I got hijacked, but spybot/adaware wont remove everything...help please

Discussion in 'Virus & Other Malware Removal' started by misterT31, Jan 3, 2009.

Thread Status:
Not open for further replies.
  1. misterT31

    misterT31 Thread Starter

    Jan 3, 2009

    January 1st found myself with a gnarly virus of some sort which slowed my computer to a snails pace and took me to varous websites. Downloaded and scanned with Avast, Spybot, Hijack this, Malwarebytes, AVG, etc. Malwarebytes seemed to work the best and removed most everything including trojans, and the virumonde virus.

    Anyhow, Adaware won't delete or quarantine 9 "infected items" such as:

    Spybot wont remove:

    because "some files are still in use (memory)."

    Is these threats i should worry about, and if so how do i remove?

    Lastly i've never done a Hijack this, and not sure if you can help me figure out which items i should have "fixed".

    Can you give me some direction? I have attached the startup log and another as attachments.

    Thank you!

    Attached Files:

  2. Sponsor

  3. cybertech

    cybertech Moderator

    Apr 16, 2002
    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    **Note: It is important that it is saved directly to your desktop**


    With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Download the file & save it as it's originally named.

    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.


    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    • At the next prompt, click 'Yes' to run the full ComboFix scan.
    • When the tool is finished, it will produce a report for you.
    Please post the C:\ComboFix.txt in your next reply.
  4. misterT31

    misterT31 Thread Starter

    Jan 3, 2009
    Thank you.

    I used the combo fix and downloaded windows console. When i started combo fix it said i still had Norton and AVG still running (tried to turn them both off but couldnt)

    Here is the TXT results: If i can find a way to attach i will.

    Thank you,

    ComboFix 09-01-07.01 - HP_Owner 2009-01-07 12:56:03.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.345 [GMT -6:00]
    Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HP_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
    AV: Norton Internet Security *On-access scanning enabled* (Outdated)
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
    AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
    FW: ZoneAlarm Firewall *disabled*
    FW: Norton Internet Security *disabled*
    * Created a new restore point

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

    ----- BITS: Possible infected sites -----

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    ((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))

    2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\program files\Avira
    2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
    2009-01-03 00:11 . 2009-01-03 00:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-01-03 00:11 . 2009-01-03 00:11 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
    2009-01-03 00:11 . 2009-01-03 00:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-03 00:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-01-03 00:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-01-02 17:46 . 2009-01-02 17:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
    2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
    2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
    2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2009-01-02 10:54 . 2009-01-02 10:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2009-01-02 09:55 . 2009-01-02 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-01-02 09:53 . 2009-01-02 09:53 <DIR> d-------- c:\program files\Alwil Software
    2009-01-02 01:25 . 2009-01-02 01:25 <DIR> d-------- c:\program files\Trend Micro
    2009-01-01 21:33 . 2009-01-01 21:33 0 --a------ c:\windows\system32\drivers\seneka.sy_
    2009-01-01 20:15 . 2009-01-01 20:15 2,461 --a------ c:\windows\system32\senekadf.da_
    2009-01-01 20:15 . 2009-01-01 20:15 59 --a------ c:\windows\system32\seneka.da_
    2009-01-01 20:09 . 2009-01-01 21:41 4,565 --a------ c:\windows\system32\senekalog.da_
    2009-01-01 18:23 . 2009-01-01 18:23 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Amazon
    2009-01-01 17:13 . 2009-01-01 17:14 <DIR> d-------- c:\program files\iTunes
    2009-01-01 17:13 . 2009-01-01 17:13 <DIR> d-------- c:\program files\iPod
    2009-01-01 17:13 . 2009-01-01 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2009-01-01 17:05 . 2009-01-01 17:06 <DIR> d-------- c:\program files\QuickTime
    2009-01-01 16:48 . 2009-01-01 16:48 <DIR> d-------- c:\program files\Amazon

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2009-01-07 19:10 249,274,400 --sha-w c:\windows\system32\drivers\fidbox.dat
    2009-01-07 19:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-07 19:00 2,922,116 --sha-w c:\windows\system32\drivers\fidbox.idx
    2009-01-07 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
    2009-01-04 16:18 --------- d-----w c:\program files\Google
    2009-01-04 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-01-04 01:47 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-01-03 18:26 --------- d-----w c:\program files\SpywareBlaster
    2009-01-03 16:58 --------- d-----w c:\program files\CCleaner
    2009-01-03 15:37 --------- d-----w c:\documents and settings\HP_Owner\Application Data\AVG7
    2009-01-02 22:43 --------- d-----w c:\program files\Easy Adder
    2009-01-02 15:55 --------- d-----w c:\program files\Lavasoft
    2009-01-01 23:13 --------- d-----w c:\program files\Common Files\Apple
    2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
    2008-11-26 02:07 8,321,027 ----a-w c:\windows\Internet Logs\tvDebug.zip
    2008-11-21 20:02 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer
    2008-11-08 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
    2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
    2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
    2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
    2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
    2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
    2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
    2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
    2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
    2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
    2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
    2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
    2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
    2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
    2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
    2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
    2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
    2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
    2002-09-11 14:26 63,730 ----a-w c:\program files\viewsonicinstruct_xp.pdf
    2007-12-13 14:35 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-03-14 13:25 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
    2007-12-13 14:35 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
    2007-12-13 14:36 98,704 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2008-08-24 05:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown

    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]
    "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
    "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
    "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
    "Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

    "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-02 219136]

    c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
    PowerReg Scheduler.exe [2006-12-30 225280]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
    NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\WPN111.exe [2007-07-14 884838]
    Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-16 45056]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    --a------ 2004-10-14 14:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a------ 2004-09-25 01:37 1691648 c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

    "EnableFirewall"= 0 (0x0)

    "c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-02 111184]
    R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-02 20560]
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-07-13 17149]
    S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-07-14 362944]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    Contents of the 'Scheduled Tasks' folder

    2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-01-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]

    2009-01-07 c:\windows\Tasks\xyjxcric.job
    - c:\windows\system32\rundll32.exe [2008-04-13 18:12]
    - - - - ORPHANS REMOVED - - - -

    BHO-{3ACF947C-489E-4BEF-B0F5-D2883A57045C} - (no file)
    HKU-Default-Run-msiexec.exe - msiconf.exe
    Notify-ljJDWoMd - ljJDWoMd.dll

    ------- Supplementary Scan -------
    uStart Page = hxxp://finance.yahoo.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride =;*.local
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: *.turbotax.com

    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\iacqfg6d.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - www.therainforestsite.com
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll


    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-07 13:03:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0


    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(592)
    ------------------------ Other Running Processes ------------------------
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Iomega\AutoDisk\ADService.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    Completion time: 2009-01-07 13:14:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-01-07 19:13:51

    Pre-Run: 109,033,861,120 bytes free
    Post-Run: 109,703,262,208 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
    258 --- E O F --- 2008-12-18 09:01:23

    Attached Files:

  5. cybertech

    cybertech Moderator

    Apr 16, 2002
    Open Notepad and copy and paste the text in the code box below into it:
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Refering to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply.

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.

    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        [*]Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator".)
  6. misterT31

    misterT31 Thread Starter

    Jan 3, 2009

    Ok, after some time ive been able to perform the operations... including the kaspersky scan, combo fix, install new java, new hijack this log, new malware bytes scan, ran the ATF cleaner, etc.

    Attached are the txt files of the new logs... i think we are making progress... i hope! thank you for the help. please let me know what your looking for in the logs.... kaspersky says i still have a virus.

    Attached Files:

  7. cybertech

    cybertech Moderator

    Apr 16, 2002
    Run HJT again and put a check in the following:

    O4 - Startup: PowerReg Scheduler.exe

    Close all applications and browser windows before you click "fix checked".

    You have two anti-virus programs running, which will cause trouble. Uninstall one of them.

    These infections:
    C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Outlook\archive1.pst
    C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
    C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst

    are in your e-mail. You need to find them and delete them. The will be found in the Archive folder and the personal folder. I can't tell you what they are. You will access these folders from inside Outlook. If you delete the entire .pst file it will remove all of the mail in those Outlook folders, and the folder will no longer exist. Carefully clean those saved e-mail files.

    These infected files:
    C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE
    are not a big deal. When you install these applications don't use the easy install use the custom install and de-select the add-on which is the malware feature. ;)

    Please post back and if all is well I will provide removal instructions for the tools I have requested you to download.
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/786305