1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan TR/Dldr.Agent.djqc. found.

Discussion in 'Virus & Other Malware Removal' started by itmeman, Mar 31, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    Windows XP home operating system. After I login to ebay I'm directed to a page that asks for personal info. such as SSN, credit card number, and other personal information. My computer is also running very slow. Also, when I do a google search my computer either a) redirects me from the link I click on from the search back to the google home page or b) takes me to another link or website other than google home page.

    Anitvira scan results and HJT attached.



    Avira AntiVir Personal
    Report file date: Tuesday, March 30, 2010 23:28

    Scanning for 1946344 virus strains and unwanted programs.

    Licensed to: Avira AntiVir Personal - FREE Antivirus
    Serial number: 0000149996-ADJIE-0000001
    Platform: Windows XP
    Windows version: (Service Pack 3) [5.1.2600]
    Boot mode: Normally booted
    Username: SYSTEM
    Computer name: LEWIS

    Version information:
    BUILD.DAT : 8.2.0.354 17048 Bytes 10/23/2009 13:15:00
    AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
    AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
    LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
    LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
    ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 22:55:26
    ANTIVIR1.VDF : 7.10.4.211 7108976 Bytes 3/5/2010 22:59:29
    ANTIVIR2.VDF : 7.10.6.3 1849760 Bytes 3/30/2010 23:00:38
    ANTIVIR3.VDF : 7.10.6.5 32768 Bytes 3/30/2010 23:00:39
    Engineversion : 8.2.1.204
    AEVDF.DLL : 8.1.1.3 106868 Bytes 1/22/2010 22:56:48
    AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/26/2010 23:00:25
    AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 22:58:34
    AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 22:59:45
    AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 22:59:44
    AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 22:59:42
    AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 22:59:42
    AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/26/2010 23:00:22
    AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 22:59:26
    AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 22:59:41
    AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 21:49:38
    AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 22:59:24
    AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
    AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
    AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
    AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 22:57:55
    AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
    AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
    AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
    SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
    NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
    RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
    RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: C:,
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: Tuesday, March 30, 2010 23:28

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
    Scan process 'jucheck.exe' - '1' Module(s) have been scanned
    Scan process 'hpzipm12.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'soffice.bin' - '1' Module(s) have been scanned
    Scan process 'soffice.exe' - '1' Module(s) have been scanned
    Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
    Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'jqs.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    35 processes with 35 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '52' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\HelpAssistant\Local Settings\Temp\sEdA.dll
    [DETECTION] Is the TR/Dldr.Agent.djqc Trojan
    [NOTE] The file was moved to '4c1738af.qua'!
    C:\Documents and Settings\Larry\Local Settings\temp\sEdA.dll
    [DETECTION] Is the TR/Dldr.Agent.djqc Trojan
    [NOTE] The file was moved to '4c173b7a.qua'!


    End of the scan: Wednesday, March 31, 2010 08:16
    Used time: 8:47:53 Hour(s)

    The scan has been canceled!

    4808 Scanning directories
    32349 Files were scanned
    2 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    2 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    32346 Files not concerned
    297 Archives were scanned
    1 Warnings
    2 Notes


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:17:48 AM, on 3/31/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.ashencrod.org
    O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ashencrod.org/controls/LTOCX14N.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198460261062
    O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ashencrod.org/controls/prntpro2.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    --
    End of file - 6501 bytes
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
    Close out all other open programs and windows.
    Double click the file to run it and follow any prompts.
    If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.


    *In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

    mbr -f

    Now, please do the Start>Run>mbr -f command a second time.
    Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
    Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
     
  3. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    thank you very very much!!

    C:\Documents and Settings\Larry\Desktop\HelpAsst_mebroot_fix.exe
    Wed 03/31/2010 at 20:30:40.03

    HelpAssistant account was found to be Active ~ attempting to de-activate

    Full Name Remote Desktop Help Assistant Account
    Account active Yes
    Local Group Memberships *Administrators

    HelpAssistant successfully set Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present! ~ attempting to remove
    Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

    ~~ Checking firewall ports ~~

    backing up DomainProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "7365:TCP"=-
    "7366:TCP"=-
    "3389:TCP"=-

    backing up StandardProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "7365:TCP"=-
    "7366:TCP"=-
    "3389:TCP"=-

    HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1614895754-1078145449-1417001333-1000
    HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
    ~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

    ~~ Checking mbr ~~

    mbr infection detected! ~ running mbr -f

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\atapi -> 0xffaa50b8
    NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff91f330
    Warning: possible MBR rootkit infection !
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
    original MBR restored successfully !

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\atapi -> 0xffaa50b8
    NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff91f330
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !
    Use "Recovery Console" command "fixmbr" to clear infection !
    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Wed 03/31/2010 at 20:51:41.90

    Full Name Remote Desktop Help Assistant Account
    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    No HelpAssistant profile in List

    ~~ Checking for HelpAssistant directories ~~

    none found

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


    ~~ EOF ~~
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  5. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    Cookiegal,
    I'm afraid I totally forgot to save Combofix as puppy.exe. is that ok?? I will gladly repeat the process if I need to... no problem. thanks

    ComboFix 10-03-29.04 - Larry 03/31/2010 23:34:12.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.146 [GMT -4:00]
    Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system32\Process.exe
    c:\windows\system32\SrchSTS.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
    .

    2010-04-01 00:30 . 2010-04-01 00:30 -------- d-----w- C:\HelpAsst_backup
    2010-03-26 02:56 . 2010-03-26 02:56 696832 ----a-w- c:\windows\is-56B3J.exe
    2010-03-10 19:46 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-01 00:47 . 2008-01-03 21:57 -------- d-----w- c:\documents and settings\Larry\Application Data\OpenOffice.org2
    2010-03-31 03:14 . 2009-06-09 02:37 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
    2010-03-31 03:13 . 2009-06-09 02:31 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
    2010-03-29 00:43 . 2009-05-27 03:20 117760 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-03-29 00:25 . 2009-11-11 10:23 79488 ----a-w- c:\documents and settings\Larry\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-03-26 14:34 . 2009-01-30 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-26 02:54 . 2009-02-12 03:15 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-03-23 12:45 . 2009-01-29 04:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-02-22 04:37 . 2009-03-17 04:01 117760 ----a-w- c:\documents and settings\Stephen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-21 21:41 . 2008-03-31 01:37 -------- d-----w- c:\program files\LimeWire
    2010-02-21 21:41 . 2010-02-21 21:34 -------- d-----w- c:\documents and settings\Larry\Application Data\LimeWire
    2010-02-16 21:40 . 2010-02-16 21:40 38372 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-12 17:24 . 2007-12-26 04:34 -------- d-----w- c:\documents and settings\Stephen\Application Data\OpenOffice.org2
    2010-02-07 22:43 . 2009-12-16 12:05 -------- d-----w- c:\program files\Family Tree Heritage
    2010-01-23 01:10 . 2009-11-24 22:43 79488 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-15 00:23 . 2009-12-20 15:16 52224 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-08 05:03 . 2010-01-08 05:03 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
    2010-01-07 20:07 . 2009-01-30 23:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 20:07 . 2009-01-30 23:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "nwiz"="nwiz.exe" [2007-12-05 1626112]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

    c:\documents and settings\Stephen\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\Larry\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:Remote Desktop

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [12/24/2007 12:45 AM 311112]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: ashencrod.org\www
    DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.ashencrod.org/controls/LTOCX14N.cab
    DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.ashencrod.org/controls/prntpro2.CAB
    FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4writlvw.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://results.mindspark.com/dft_redir.jhtml?id=ZJxdm375UVUS&ptnrS=ZJxdm375UVUS&fl=0&ptb=YfnrSphEHcoD87ab_0xg8Q&st=kwd&si=98755&searchfor=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-31 23:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(656)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-03-31 23:47:50
    ComboFix-quarantined-files.txt 2010-04-01 03:47

    Pre-Run: 49,318,375,424 bytes free
    Post-Run: 49,811,611,648 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 985F4CF4A9773191F715144E31CA6DD2


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:49:26 PM, on 3/31/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.ashencrod.org
    O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ashencrod.org/controls/LTOCX14N.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198460261062
    O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ashencrod.org/controls/prntpro2.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    --
    End of file - 6110 bytes
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    http://forums.techguy.org/malware-removal-hijackthis-logs/913790-trojan-tr-dldr-agent-djqc.html
    
    Collect::
    c:\windows\is-56B3J.exe
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "3389:TCP"=-
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4writlvw.default\
    FF - prefs.js: keyword.URL - hxxp://results.mindspark.com/dft_redir.jhtml?id=ZJxdm375UVUS&ptnrS=ZJxdm375UVUS&fl=0&ptb=YfnrSphEHcoD87a b_0xg8Q&st=kwd&si=98755&searchfor=
     
    Save the file to your desktop and name it CFScript.txt

    Referring to the picture below, drag CFScript.txt into ComboFix.exe

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.


    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
     
  7. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    Excuse my ignorance, you meant for me to do another ComboFix scan, right? here are the combofix and HJT logs.

    ComboFix 10-03-29.04 - Larry 04/01/2010 23:17:04.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.116 [GMT -4:00]
    Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    file zipped: c:\windows\is-56B3J.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\is-56B3J.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
    .

    2010-04-01 22:57 . 2010-04-01 22:57 -------- d-----w- c:\documents and settings\Larry\Application Data\WinPatrol
    2010-04-01 00:30 . 2010-04-01 00:30 -------- d-----w- C:\HelpAsst_backup
    2010-03-10 19:46 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-01 23:01 . 2009-05-27 03:20 117760 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-01 11:11 . 2008-01-03 21:57 -------- d-----w- c:\documents and settings\Larry\Application Data\OpenOffice.org2
    2010-03-31 03:14 . 2009-06-09 02:37 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
    2010-03-31 03:13 . 2009-06-09 02:31 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
    2010-03-29 00:25 . 2009-11-11 10:23 79488 ----a-w- c:\documents and settings\Larry\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-03-26 14:34 . 2009-01-30 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-26 02:54 . 2009-02-12 03:15 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-03-23 12:45 . 2009-01-29 04:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
    2010-02-22 04:37 . 2009-03-17 04:01 117760 ----a-w- c:\documents and settings\Stephen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-21 21:41 . 2008-03-31 01:37 -------- d-----w- c:\program files\LimeWire
    2010-02-21 21:41 . 2010-02-21 21:34 -------- d-----w- c:\documents and settings\Larry\Application Data\LimeWire
    2010-02-16 21:40 . 2010-02-16 21:40 38372 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-12 17:24 . 2007-12-26 04:34 -------- d-----w- c:\documents and settings\Stephen\Application Data\OpenOffice.org2
    2010-02-07 22:43 . 2009-12-16 12:05 -------- d-----w- c:\program files\Family Tree Heritage
    2010-01-23 01:10 . 2009-11-24 22:43 79488 ----a-w- c:\documents and settings\Stephen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-15 00:23 . 2009-12-20 15:16 52224 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-08 05:03 . 2010-01-08 05:03 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
    2010-01-07 20:07 . 2009-01-30 23:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 20:07 . 2009-01-30 23:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_03.42.45 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-04-01 07:18 . 2010-04-01 07:18 16384 c:\windows\temp\Perflib_Perfdata_68c.dat
    + 2007-12-24 04:11 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
    - 2007-12-24 04:11 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\pngfilt.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 44544 c:\windows\system32\pngfilt.dll
    + 2007-08-13 23:54 . 2010-03-11 12:38 52224 c:\windows\system32\msfeedsbs.dll
    - 2007-08-13 23:54 . 2010-01-05 10:00 52224 c:\windows\system32\msfeedsbs.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 27648 c:\windows\system32\jsproxy.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\jsproxy.dll
    - 2007-08-13 23:39 . 2009-12-31 15:33 13824 c:\windows\system32\ieudinit.exe
    + 2007-08-13 23:39 . 2010-03-10 13:18 13824 c:\windows\system32\ieudinit.exe
    - 2004-08-04 12:00 . 2010-01-05 10:00 44544 c:\windows\system32\iernonce.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\iernonce.dll
    + 2004-08-04 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\ie4uinit.exe
    - 2004-08-04 12:00 . 2009-12-31 15:33 70656 c:\windows\system32\ie4uinit.exe
    - 2007-08-13 23:36 . 2010-01-05 10:00 63488 c:\windows\system32\icardie.dll
    + 2007-08-13 23:36 . 2010-03-11 12:38 63488 c:\windows\system32\icardie.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\pngfilt.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 44544 c:\windows\system32\dllcache\pngfilt.dll
    + 2007-12-24 03:44 . 2010-03-11 12:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2007-12-24 03:44 . 2010-01-05 10:00 52224 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 27648 c:\windows\system32\dllcache\jsproxy.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\dllcache\jsproxy.dll
    - 2007-12-24 03:44 . 2009-12-31 15:33 13824 c:\windows\system32\dllcache\ieudinit.exe
    + 2007-12-24 03:44 . 2010-03-10 13:18 13824 c:\windows\system32\dllcache\ieudinit.exe
    + 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\iernonce.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 44544 c:\windows\system32\dllcache\iernonce.dll
    - 2009-02-20 18:09 . 2010-01-05 10:00 78336 c:\windows\system32\dllcache\ieencode.dll
    + 2009-02-20 18:09 . 2010-03-11 12:38 78336 c:\windows\system32\dllcache\ieencode.dll
    - 2004-08-04 12:00 . 2009-12-31 15:33 70656 c:\windows\system32\dllcache\ie4uinit.exe
    + 2004-08-04 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\dllcache\ie4uinit.exe
    + 2007-12-24 03:44 . 2010-03-11 12:38 63488 c:\windows\system32\dllcache\icardie.dll
    - 2007-12-24 03:44 . 2010-01-05 10:00 63488 c:\windows\system32\dllcache\icardie.dll
    - 2009-06-29 16:12 . 2010-01-05 10:00 17408 c:\windows\system32\dllcache\corpol.dll
    + 2009-06-29 16:12 . 2010-03-11 12:38 17408 c:\windows\system32\dllcache\corpol.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 44544 c:\windows\ie7updates\KB980182-IE7\pngfilt.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 52224 c:\windows\ie7updates\KB980182-IE7\msfeedsbs.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 27648 c:\windows\ie7updates\KB980182-IE7\jsproxy.dll
    + 2010-04-01 07:01 . 2009-12-31 15:33 13824 c:\windows\ie7updates\KB980182-IE7\ieudinit.exe
    + 2010-04-01 07:01 . 2010-01-05 10:00 44544 c:\windows\ie7updates\KB980182-IE7\iernonce.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 78336 c:\windows\ie7updates\KB980182-IE7\ieencode.dll
    + 2010-04-01 07:01 . 2009-12-31 15:33 70656 c:\windows\ie7updates\KB980182-IE7\ie4uinit.exe
    + 2010-04-01 07:01 . 2010-01-05 10:00 63488 c:\windows\ie7updates\KB980182-IE7\icardie.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 17408 c:\windows\ie7updates\KB980182-IE7\corpol.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 233472 c:\windows\system32\webcheck.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\webcheck.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\url.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 105984 c:\windows\system32\url.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\occache.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 102912 c:\windows\system32\occache.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\mstime.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 671232 c:\windows\system32\mstime.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\msrating.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 193024 c:\windows\system32\msrating.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 477696 c:\windows\system32\mshtmled.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\mshtmled.dll
    + 2007-08-13 23:54 . 2010-03-11 12:38 459264 c:\windows\system32\msfeeds.dll
    - 2007-08-13 23:54 . 2010-01-05 10:00 459264 c:\windows\system32\msfeeds.dll
    - 2007-08-13 23:34 . 2010-01-05 10:00 268288 c:\windows\system32\iertutil.dll
    + 2007-08-13 23:34 . 2010-03-11 12:38 268288 c:\windows\system32\iertutil.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\iepeers.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 192512 c:\windows\system32\iepeers.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\iedkcs32.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 385024 c:\windows\system32\iedkcs32.dll
    - 2007-07-11 17:27 . 2010-01-05 10:00 380928 c:\windows\system32\ieapfltr.dll
    + 2007-07-11 17:27 . 2010-03-11 12:38 380928 c:\windows\system32\ieapfltr.dll
    + 2004-08-04 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\ieakui.dll
    - 2004-08-04 12:00 . 2009-12-18 13:04 161792 c:\windows\system32\ieakui.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 230400 c:\windows\system32\ieaksie.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\ieaksie.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\ieakeng.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 153088 c:\windows\system32\ieakeng.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\extmgr.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 133120 c:\windows\system32\extmgr.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dxtrans.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 214528 c:\windows\system32\dxtrans.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 347136 c:\windows\system32\dxtmsft.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dxtmsft.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 832512 c:\windows\system32\dllcache\wininet.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 832512 c:\windows\system32\dllcache\wininet.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 233472 c:\windows\system32\dllcache\webcheck.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\dllcache\webcheck.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 105984 c:\windows\system32\dllcache\url.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\dllcache\url.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\dllcache\occache.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 102912 c:\windows\system32\dllcache\occache.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\dllcache\mstime.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 671232 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\dllcache\msrating.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 193024 c:\windows\system32\dllcache\msrating.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 477696 c:\windows\system32\dllcache\mshtmled.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\dllcache\mshtmled.dll
    + 2007-12-24 03:44 . 2010-03-11 12:38 459264 c:\windows\system32\dllcache\msfeeds.dll
    - 2007-12-24 03:44 . 2010-01-05 10:00 459264 c:\windows\system32\dllcache\msfeeds.dll
    - 2007-12-24 01:13 . 2009-12-18 13:05 634648 c:\windows\system32\dllcache\iexplore.exe
    + 2007-12-24 01:13 . 2010-02-23 05:20 634648 c:\windows\system32\dllcache\iexplore.exe
    + 2007-12-24 03:44 . 2010-03-11 12:38 268288 c:\windows\system32\dllcache\iertutil.dll
    - 2007-12-24 03:44 . 2010-01-05 10:00 268288 c:\windows\system32\dllcache\iertutil.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 192512 c:\windows\system32\dllcache\iepeers.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\dllcache\iepeers.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 385024 c:\windows\system32\dllcache\iedkcs32.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\dllcache\iedkcs32.dll
    - 2007-12-24 03:44 . 2010-01-05 10:00 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2007-12-24 03:44 . 2010-03-11 12:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2004-08-04 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\dllcache\ieakui.dll
    - 2004-08-04 12:00 . 2009-12-18 13:04 161792 c:\windows\system32\dllcache\ieakui.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\dllcache\ieaksie.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 230400 c:\windows\system32\dllcache\ieaksie.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\dllcache\ieakeng.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 153088 c:\windows\system32\dllcache\ieakeng.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 133120 c:\windows\system32\dllcache\extmgr.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\dllcache\extmgr.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 214528 c:\windows\system32\dllcache\dxtrans.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dllcache\dxtrans.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 347136 c:\windows\system32\dllcache\dxtmsft.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 124928 c:\windows\system32\dllcache\advpack.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\dllcache\advpack.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\advpack.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 124928 c:\windows\system32\advpack.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 832512 c:\windows\ie7updates\KB980182-IE7\wininet.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 233472 c:\windows\ie7updates\KB980182-IE7\webcheck.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 105984 c:\windows\ie7updates\KB980182-IE7\url.dll
    + 2010-04-01 07:01 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB980182-IE7\spuninst\updspapi.dll
    + 2010-04-01 07:01 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB980182-IE7\spuninst\spuninst.exe
    + 2010-04-01 07:01 . 2010-01-05 10:00 102912 c:\windows\ie7updates\KB980182-IE7\occache.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 671232 c:\windows\ie7updates\KB980182-IE7\mstime.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 193024 c:\windows\ie7updates\KB980182-IE7\msrating.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 477696 c:\windows\ie7updates\KB980182-IE7\mshtmled.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 459264 c:\windows\ie7updates\KB980182-IE7\msfeeds.dll
    + 2010-04-01 07:01 . 2009-12-18 13:05 634648 c:\windows\ie7updates\KB980182-IE7\iexplore.exe
    + 2010-04-01 07:01 . 2010-01-05 10:00 268288 c:\windows\ie7updates\KB980182-IE7\iertutil.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 192512 c:\windows\ie7updates\KB980182-IE7\iepeers.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 385024 c:\windows\ie7updates\KB980182-IE7\iedkcs32.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 380928 c:\windows\ie7updates\KB980182-IE7\ieapfltr.dll
    + 2010-04-01 07:01 . 2009-12-18 13:04 161792 c:\windows\ie7updates\KB980182-IE7\ieakui.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 230400 c:\windows\ie7updates\KB980182-IE7\ieaksie.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 153088 c:\windows\ie7updates\KB980182-IE7\ieakeng.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 133120 c:\windows\ie7updates\KB980182-IE7\extmgr.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 214528 c:\windows\ie7updates\KB980182-IE7\dxtrans.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 347136 c:\windows\ie7updates\KB980182-IE7\dxtmsft.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 124928 c:\windows\ie7updates\KB980182-IE7\advpack.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\urlmon.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 1168384 c:\windows\system32\urlmon.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 3599872 c:\windows\system32\mshtml.dll
    + 2007-08-13 23:54 . 2010-03-11 12:38 6067200 c:\windows\system32\ieframe.dll
    - 2007-08-13 23:54 . 2010-01-05 10:00 6067200 c:\windows\system32\ieframe.dll
    - 2004-08-04 12:00 . 2010-01-05 10:00 1168384 c:\windows\system32\dllcache\urlmon.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\dllcache\urlmon.dll
    + 2004-08-04 12:00 . 2010-03-11 12:38 3599872 c:\windows\system32\dllcache\mshtml.dll
    - 2007-12-24 03:44 . 2010-01-05 10:00 6067200 c:\windows\system32\dllcache\ieframe.dll
    + 2007-12-24 03:44 . 2010-03-11 12:38 6067200 c:\windows\system32\dllcache\ieframe.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 1168384 c:\windows\ie7updates\KB980182-IE7\urlmon.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 3599360 c:\windows\ie7updates\KB980182-IE7\mshtml.dll
    + 2010-04-01 07:01 . 2010-01-05 10:00 6067200 c:\windows\ie7updates\KB980182-IE7\ieframe.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "nwiz"="nwiz.exe" [2007-12-05 1626112]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

    c:\documents and settings\Stephen\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\Larry\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:Remote Desktop

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: ashencrod.org\www
    DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.ashencrod.org/controls/LTOCX14N.cab
    DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.ashencrod.org/controls/prntpro2.CAB
    FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4writlvw.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-01 23:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(656)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-04-01 23:29:30
    ComboFix-quarantined-files.txt 2010-04-02 03:29
    ComboFix2.txt 2010-04-01 03:47

    Pre-Run: 49,719,341,056 bytes free
    Post-Run: 49,680,461,824 bytes free

    - - End Of File - - F52867059AA7B52937592A1CD2315031
    Upload was successful


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:32:02 PM, on 4/1/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.ashencrod.org
    O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ashencrod.org/controls/LTOCX14N.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198460261062
    O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ashencrod.org/controls/prntpro2.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    --
    End of file - 6132 bytes
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Yes, using the script and you did it correctly. :)

    I'm attaching a Fixit.zip file to this post. Save it to your desktop. Then unzip it and double-click the Fixit.reg file it contains and allow it to merge into the registry. This will close an open port that was used by the malware and although the infection has been neutralized, the port remains open.

    After you've done that, please do the following:

    Go to Start - Run then copy and paste the following bolded command then hit Enter.

    "%userprofile%\desktop\helpasst_mebroot_fix.exe" -mbrt

    A log will open when it completes. Please post its contents here.
     

    Attached Files:

  9. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    C:\Documents and Settings\Larry\Desktop\HelpAsst_mebroot_fix.exe
    Wed 03/31/2010 at 20:30:40.03

    HelpAssistant account was found to be Active ~ attempting to de-activate

    Full Name Remote Desktop Help Assistant Account
    Account active Yes
    Local Group Memberships *Administrators

    HelpAssistant successfully set Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present! ~ attempting to remove
    Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

    ~~ Checking firewall ports ~~

    backing up DomainProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "7365:TCP"=-
    "7366:TCP"=-
    "3389:TCP"=-

    backing up StandardProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "7365:TCP"=-
    "7366:TCP"=-
    "3389:TCP"=-

    HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1614895754-1078145449-1417001333-1000
    HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
    ~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

    ~~ Checking mbr ~~

    mbr infection detected! ~ running mbr -f

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\atapi -> 0xffaa50b8
    NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff91f330
    Warning: possible MBR rootkit infection !
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
    original MBR restored successfully !

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\atapi -> 0xffaa50b8
    NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff91f330
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !
    Use "Recovery Console" command "fixmbr" to clear infection !
    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Wed 03/31/2010 at 20:51:41.90

    Full Name Remote Desktop Help Assistant Account
    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    No HelpAssistant profile in List

    ~~ Checking for HelpAssistant directories ~~

    none found

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


    ~~ EOF ~~

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Fri 04/02/2010 at 19:23:41.26

    Full Name Remote Desktop Help Assistant Account
    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x094FE9BD
    malicious code @ sector 0x094FE9C0 !
    PE file found in sector at 0x094FE9D6 !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    No HelpAssistant profile in List

    ~~ Checking for HelpAssistant directories ~~

    none found

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    ~~ EOF ~~
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    OK, that's good.

    Please update MalwareBytes and run a full scan and post that log.
     
  11. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    Speaking of Malwarebytes, I've tried to run it and it pops up a dialogue box that says "An error occurred. Please report the following error code to the Malwarebytes' Anti_Malware support team. Error code: 703 (0, 453)."
    And if I try to delete it from my computer it pops up "Runtime Error (at -1:0): Cannot Import dll:C:\Program Files\Malwarebytes'AntiMalware\mbam.dll."
    ... so I can not run it or try to delete and reinstall. Any suggestions?
    thanks:)
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Try one more time to remove it via the Control Panel.

    Then even if you get error messages, restart your computer.

    Then download and run this MBAM removal tool:

    http://www.malwarebytes.org/mbam-clean.exe

    It will ask to restart the computer so please allow it.

    Once that's completed try downloading Malwarebytes again:

    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
     
  13. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3958

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    4/5/2010 8:55:47 PM
    mbam-log-2010-04-05 (20-55-47).txt

    Scan type: Quick scan
    Objects scanned: 115664
    Time elapsed: 13 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

    JRE 6 Update 18

    Instructions for Kaspersky scan:

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.
     
  15. itmeman

    itmeman Thread Starter

    Joined:
    Jun 27, 2007
    Messages:
    91
    The Kaspersky report didn't show anything. the report was just a blank screen after it finished, it didn't show any infected items... it didn't show anything for that matter. Does that sound normal. I clicked on report and waited... nothing happened, then I tried "Report" on the left hand pane and nothing happened.
    thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913790

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice