Problem.
Even when I went into SAFEMODE, which wouldn't load right to begin with, I couldn't delete index.net. So I downloaded Spybot Search and Destroy and used it's " Secure Shredder, just to delete index.net. I shredded index.net 10 times and as soon as I reopen the cookies folder it is right back in there . Thats one persistant file !
Now what ? Is it supposed to just reload as some type of "system" file or could it be a virus ?
Tumbleweedracef 44 Posting Pro in Training
Tumbleweedracef 44 Posting Pro in Training
Also, I tried to use HijackThis to remove the programs you listed above. They were nowhere on my computer so I tried to delete the entries in HijackThis and HijackThis can't dlete them. I selected to " DELETE THIS ENTRY" but they won't disapear. Any suggestions ?
I'm sorry that nothing seems to be working on my end !
jholland1964 650 Posting Expert Team Colleague Featured Poster
Look, this is totally ridiculous. You now have done two things I didn't request, download another program and install it and run it and also used HiJackthis, incorrectly, to do a fix that I did not tell you to do.
I am telling you right now ONCE, if you keep taking steps that I don't tell you to do then I am out of here. You can go elsewhere for help or take this computer to a shop and pay to have it fixed.
This computer is supposed to be OFFLINE, no programs should be installed on it unless I tell you to do so.
As I try to delete the file " index.dat", it won't let me. There is a warning/popup that keeps saying....
The action can't be completed because the file is open in another program
Close the file and try again.
Leave it alone. It is NOT a virus.
Now did you uninstall combofix as I told you to do?
Tumbleweedracef 44 Posting Pro in Training
Sorry. The only place that those programs showed up was in HijackThis so I tried to use that to delete them as you requested. I didn't go ONLINE to download Spybot, because I have it on a flash drive. I'm not plugging the internet cable in until you tell me too !
Thank you for working with me ! Just let me know if ya want me to uninstall Spybot.
Please bare with me thru this, thanks.
And, before you told me how to uninstall Combo fix, I had deleted it. When I tried to do as you requested, it didn't work. It wasn't in my Recycle Bin because we ran Ccleaner and that removed everything, I'm sorry.
Whats next ?
Tumbleweedracef 44 Posting Pro in Training
happy thanksgiving judy !!!
jholland1964 650 Posting Expert Team Colleague Featured Poster
The only place that those programs showed up was in HijackThis so I tried to use that to delete them as you requested.
Which programs exactly?
Tumbleweedracef 44 Posting Pro in Training
These are the programs that ONLY showed up in the HijackThis list of installed programs. The 3 "green colored" programs were actually in my Uninstall list on the computer and have been uninstalled.
Authentium AntiVirus SDK - 2
avast! Free AntivirusESET Online Scanner v3Eusing Free Registry CleanerRPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
jholland1964 650 Posting Expert Team Colleague Featured Poster
Thanks for the reply. From what I have found the Authentium AntiVirus program is often installed when users install software from their ISP and I have also found that it could be that the RPS Antivirus (and RPS stands for RadialPoint Software) is really Authentium and therefore may be why you couldn't find it anywhere after you removed the Authentium.
So I would say on that let's assume that it is gone. If we find it later we will deal with it. But here is your next step. Read everything VERY carefully, follow each and every step EXACTLY
I want you to run Combofix. You are going to have to download the file to your flash drive and take it to the infected computer. It must be put ON TO the infected computer, it cannot run from the flash drive and you must put in ON the desktop
Please download ComboFix by sUBs from
http://www.bleepingcomputer.com/download/anti-virus/combofix
Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.
• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts, though you can ignore the part of instructions about creating a restore partition because this involves using the internet so just say no when it wants to do this. You may receive some sort of warning about not doing this but just say no and continue.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
Run Combofix ONCE only!!
Tumbleweedracef 44 Posting Pro in Training
I will do all this when I get home this evening, thanks !
jholland1964 650 Posting Expert Team Colleague Featured Poster
Good enough! Enjoy your turkey dinner!
Tumbleweedracef 44 Posting Pro in Training
I got a warning as Combo Fix began scanning that said......
WARNING !! THE MASTER BOOT RECORD IS INFECTED !! MAKE SURE YOUR ANTIVIRUS PROGRAMS ARE DISABLED BEFORE CLICKING "OK"
I don't even have any antivirus programs on this computer......proceed ?
jholland1964 650 Posting Expert Team Colleague Featured Poster
No, you need to wait. I will have somebody else look at this too. Just turn off the computer and keep checking back on the other one. Not sure when somebody else can take a look since it's a holiday but we WILL get back with you ASAP.
Tumbleweedracef 44 Posting Pro in Training
Ok, I just left it with the warning poped up and now I will just turn it off. Thanks and I will wait for your next reply.
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Download MBRCheck to your desktop
Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
====
There is no excuse for not installing an anti-virus program. There are many free ones out there, so I suggest you get yourself one.
If you choose not to do so, then you may find that we will choose not to help. Why?
Because why should we waste our time cleaning a PC that is only going to get infected the minute we have finished?
jholland1964 650 Posting Expert Team Colleague Featured Poster
Crunchie, computer has no av program on it because poster was running parts of three av programs. I had him disconnect the computer and uninstall all av programs. He is running these programs via flash drive with the infected computer disconnected from the internet. I told him to do this since he was having so many problems. Told him I would tell him when to connect, which would be after an av program would be installed via the flash drive.
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
I take it back then :). Too many pages here to read through. My bad.
Tumbleweedracef 44 Posting Pro in Training
WOW.......chewed out twice in one day......LOL
Here is the MBR report that was requested :
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ELITEGROUP
BIOS Manufacturer: 945GCT-M3
System Manufacturer: Gateway
System Product Name: W3653
Logical Drives Mask: 0x000101fc
Kernel Drivers (total 149):
0x8283B000 \SystemRoot\system32\ntkrnlpa.exe
0x82808000 \SystemRoot\system32\hal.dll
0x86BAD000 \SystemRoot\system32\kdcom.dll
0x80605000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80675000 \SystemRoot\system32\PSHED.dll
0x80686000 \SystemRoot\system32\BOOTVID.dll
0x8068E000 \SystemRoot\system32\CLFS.SYS
0x806CF000 \SystemRoot\system32\CI.dll
0x82E07000 \SystemRoot\system32\drivers\Wdf01000.sys
0x82E83000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x82E90000 \SystemRoot\system32\drivers\acpi.sys
0x82ED6000 \SystemRoot\system32\drivers\WMILIB.SYS
0x82EDF000 \SystemRoot\system32\drivers\msisadrv.sys
0x82EE7000 \SystemRoot\system32\drivers\pci.sys
0x82F0E000 \SystemRoot\System32\drivers\partmgr.sys
0x82F1D000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x82F20000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x82F2A000 \SystemRoot\system32\drivers\volmgr.sys
0x82F39000 \SystemRoot\System32\drivers\volmgrx.sys
0x82F83000 \SystemRoot\system32\drivers\intelide.sys
0x82F8A000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x82F98000 \SystemRoot\system32\DRIVERS\pciide.sys
0x82F9F000 \SystemRoot\System32\drivers\mountmgr.sys
0x82FAF000 \SystemRoot\system32\drivers\atapi.sys
0x82FB7000 \SystemRoot\system32\drivers\ataport.SYS
0x807AF000 \SystemRoot\system32\drivers\fltmgr.sys
0x82FD5000 \SystemRoot\system32\drivers\fileinfo.sys
0x8300C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8307D000 \SystemRoot\System32\Drivers\DefragFS.sys
0x83090000 \SystemRoot\system32\drivers\ndis.sys
0x8319B000 \SystemRoot\system32\drivers\msrpc.sys
0x83206000 \SystemRoot\system32\drivers\NETIO.SYS
0x83241000 \SystemRoot\System32\drivers\tcpip.sys
0x8332B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x86C0F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x86D1F000 \SystemRoot\system32\drivers\volsnap.sys
0x86D58000 \SystemRoot\System32\Drivers\spldr.sys
0x86D60000 \SystemRoot\System32\Drivers\mup.sys
0x86D6F000 \SystemRoot\System32\drivers\ecache.sys
0x86D96000 \SystemRoot\system32\drivers\disk.sys
0x86DA7000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x86DC8000 \SystemRoot\system32\drivers\crcdisk.sys
0x86DF1000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x86C00000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x83346000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8AA06000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8B00A000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8B0AB000 \SystemRoot\System32\drivers\watchdog.sys
0x8B0B7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8B144000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8B14F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8B18D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8B19C000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0x83355000 \SystemRoot\system32\DRIVERS\ks.sys
0x8A601000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8A704000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8A7B8000 \SystemRoot\system32\drivers\modem.sys
0x8A7C5000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0x8A7D5000 \SystemRoot\system32\DRIVERS\serial.sys
0x8A7EF000 \SystemRoot\system32\DRIVERS\serenum.sys
0x8B1E6000 \SystemRoot\system32\DRIVERS\parport.sys
0x8337F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x83392000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8339D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x833A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x833C0000 \SystemRoot\system32\DRIVERS\serscan.sys
0x833C8000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8B208000 \SystemRoot\system32\DRIVERS\storport.sys
0x8B249000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B254000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8B26B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8B276000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8B299000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8B2A8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8B2BC000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8B2D1000 \SystemRoot\system32\DRIVERS\rp_skt32.sys
0x8B2DD000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8B2ED000 \SystemRoot\system32\DRIVERS\rp_pkt32.sys
0x8B2FB000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8B2FD000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8B307000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8B314000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8B349000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8B604000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8B7B3000 \SystemRoot\system32\drivers\portcls.sys
0x8B35A000 \SystemRoot\system32\drivers\drmk.sys
0x8B7E0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8B7E9000 \SystemRoot\System32\Drivers\Null.SYS
0x8B7F0000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B37F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8B386000 \SystemRoot\System32\drivers\vga.sys
0x8B392000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B7F7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B3B3000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B3BB000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B3C6000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B3D4000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8B3DD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x831C6000 \SystemRoot\system32\DRIVERS\smb.sys
0x8B803000 \SystemRoot\system32\drivers\afd.sys
0x8B84B000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8B87D000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8B893000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8B8A1000 \SystemRoot\System32\Drivers\StarOpen.SYS
0x8B8A7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8B8BA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8B8F6000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8B900000 \SystemRoot\System32\Drivers\dfsc.sys
0x8B917000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8B92C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8B92E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8B93B000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8B946000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x94620000 \SystemRoot\System32\win32k.sys
0x8B94E000 \SystemRoot\System32\drivers\Dxapi.sys
0x8B958000 \SystemRoot\system32\DRIVERS\monitor.sys
0x94840000 \SystemRoot\System32\TSDDD.dll
0x94860000 \SystemRoot\System32\cdd.dll
0x8B967000 \SystemRoot\system32\drivers\luafv.sys
0x8B982000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x82203000 \SystemRoot\system32\drivers\spsys.sys
0x822B3000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x822C3000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x822ED000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x822F7000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8230A000 \SystemRoot\system32\drivers\HTTP.sys
0x82377000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x82394000 \SystemRoot\system32\DRIVERS\bowser.sys
0x823AD000 \SystemRoot\System32\drivers\mpsdrv.sys
0x823C2000 \SystemRoot\system32\drivers\mrxdav.sys
0x8B98B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8B9AA000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x823E3000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA7A03000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA7A2B000 \SystemRoot\System32\DRIVERS\srv.sys
0xA7A79000 \SystemRoot\system32\DRIVERS\parvdm.sys
0xA7A80000 \SystemRoot\system32\DRIVERS\css-dvp.sys
0xA7B4C000 \SystemRoot\System32\Drivers\fastfat.SYS
0xA7B74000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7C07000 \SystemRoot\system32\drivers\peauth.sys
0xA7CE5000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA7CEF000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0xA7D7B000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0xA7DB1000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA7DBD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA7DD2000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xA7DE4000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA7B78000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77160000 \Windows\System32\ntdll.dll
Processes (total 42):
0 System Idle Process
4 System
448 C:\Windows\System32\smss.exe
580 csrss.exe
624 C:\Windows\System32\wininit.exe
636 csrss.exe
668 C:\Windows\System32\services.exe
684 C:\Windows\System32\lsass.exe
692 C:\Windows\System32\lsm.exe
732 C:\Windows\System32\winlogon.exe
876 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\svchost.exe
1196 C:\Windows\System32\audiodg.exe
1220 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\SLsvc.exe
1268 C:\Windows\System32\svchost.exe
1468 C:\Windows\System32\svchost.exe
1656 C:\Windows\System32\spoolsv.exe
1680 C:\Windows\System32\svchost.exe
2020 C:\Windows\System32\svchost.exe
1112 C:\Windows\System32\svchost.exe
1456 C:\Windows\System32\svchost.exe
1720 C:\Windows\System32\SearchIndexer.exe
2104 WUDFHost.exe
2168 C:\Windows\System32\drivers\XAudio.exe
2584 C:\Windows\System32\taskeng.exe
2620 C:\Windows\System32\dwm.exe
2664 C:\Windows\explorer.exe
2748 C:\Windows\System32\taskeng.exe
2940 C:\Windows\System32\hkcmd.exe
2948 C:\Windows\RtHDVCpl.exe
3068 C:\Windows\System32\igfxsrvc.exe
2916 C:\Windows\System32\SearchProtocolHost.exe
2536 C:\Windows\System32\SearchFilterHost.exe
3388 WmiPrvSE.exe
3512 C:\Users\mae\Desktop\MBRCheck.exe
1904 C:\Windows\System32\wbem\WMIADAP.exe
1968 C:\Windows\servicing\TrustedInstaller.exe
1544 WmiPrvSE.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`b3c38600 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\Q: --> error 5
PhysicalDrive0 Model Number: WDCWD3200AAJS-22B4A0, Rev: 01.03A01
Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
Done!
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Looks ok to me. Go ahead and run Combofix and ignore the message re AV.
Tumbleweedracef 44 Posting Pro in Training
Here is the ComboFix report:
ComboFix 10-11-24.04 - mae 11/26/2010 0:57.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1015.232 [GMT -6:00]
Running from: c:\users\mae\Desktop\ComboFix.exe
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: AT&T Internet Security Suite AT&T Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\UNWISE.EXE
c:\users\mae\AppData\Roaming\Bitrix Security
c:\users\mae\AppData\Roaming\Bitrix Security\ibo
c:\users\mae\AppData\Roaming\Bitrix Security\zyljxdtp30_shrd
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.tmp
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.drv
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\energy.exe
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\exec.exe
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\exec.tmp
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\fan.sys
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\fix.exe
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\FS.drv
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\FW.sys
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\pal.exe
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.tmp
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\snl2w.exe
c:\users\mae\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
c:\windows\system32\certstore.dat
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.
2010-11-26 07:05 . 2010-11-26 07:05 -------- d-----w- c:\users\mae\AppData\Local\temp
2010-11-26 07:05 . 2010-11-26 07:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-11-26 07:05 . 2010-11-26 07:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-24 03:18 . 2010-11-24 03:18 -------- d-----w- c:\program files\VS Revo Group
2010-11-23 20:51 . 2010-11-23 20:51 388096 ----a-r- c:\users\mae\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-23 06:06 . 2010-11-23 06:06 -------- d-----w- c:\program files\Trend Micro
2010-11-22 07:24 . 2010-11-22 07:24 -------- d-----w- c:\program files\AusLogics Disk Defrag
2010-11-22 07:22 . 2010-11-23 03:13 -------- d-----w- c:\program files\SpywareBlaster
2010-11-22 07:21 . 2010-11-22 07:21 -------- d-----w- c:\program files\Alwil Software
2010-11-22 07:12 . 2010-11-24 17:11 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-11-22 05:39 . 2010-11-22 05:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-22 04:15 . 2010-11-25 00:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-22 04:14 . 2010-11-22 04:14 -------- d-----w- c:\program files\CCleaner
2010-11-17 18:21 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{27908A16-217C-4784-B895-4E2FF8FC0214}\mpengine.dll
2010-11-10 15:31 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-10-27 15:46 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 15:46 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 15:46 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 16:41 . 2009-10-02 19:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 19:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 19:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 19:48 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 19:48 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 19:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 19:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 19:48 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 19:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 19:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 19:49 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 19:49 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 19:49 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 19:49 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 19:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 17:13 . 2010-08-31 17:13 1409 ----a-w- c:\windows\QTFont.for
2010-08-31 15:46 . 2010-10-14 19:47 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 19:47 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 19:47 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 19:47 2038272 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-05 154392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 4435968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^mae^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-05 11:52 142104 ----a-w- c:\windows\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-05 11:52 138008 ----a-w- c:\windows\System32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 cvhsvc;Client Virtualization Handler; [x]
R2 gupdate;Google Update Service (gupdate); [x]
R2 sftlist;Application Virtualization Client; [x]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 osppsvc;Office Software Protection Platform; [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
R3 sftvsa;Application Virtualization Service Agent; [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\system32\dllhost.exe [2006-11-02 7168]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-11-26 c:\windows\Tasks\User_Feed_Synchronization-{F569103E-64CE-4455-B63B-99F0E34992CA}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to AMV Converter...
IE: Add to Video Converter...
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{F1B70300-311C-480A-A915-9A4295772B2D} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Oryte_Games_1.11 Toolbar - c:\progra~1\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 01:06
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-26 01:07:58
ComboFix-quarantined-files.txt 2010-11-26 07:07
Pre-Run: 228,156,243,968 bytes free
Post-Run: 227,442,524,160 bytes free
- - End Of File - - 3AEFDB874FC2822B6FD7CDF7CDAD7522
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiSpywareOverride"=dword:00000000
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Tumbleweedracef 44 Posting Pro in Training
Here is the results from Combo Fix
ComboFix 10-11-24.04 - mae 11/26/2010 9:40.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1015.393 [GMT -6:00]
Running from: c:\users\mae\Desktop\ComboFix.exe
Command switches used :: c:\users\mae\Desktop\CFScript.txt
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: AT&T Internet Security Suite AT&T Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.
2010-11-26 15:47 . 2010-11-26 15:49 -------- d-----w- c:\users\mae\AppData\Local\temp
2010-11-26 15:47 . 2010-11-26 15:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-11-26 15:47 . 2010-11-26 15:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-24 03:18 . 2010-11-24 03:18 -------- d-----w- c:\program files\VS Revo Group
2010-11-23 20:51 . 2010-11-23 20:51 388096 ----a-r- c:\users\mae\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-23 06:06 . 2010-11-23 06:06 -------- d-----w- c:\program files\Trend Micro
2010-11-22 07:24 . 2010-11-22 07:24 -------- d-----w- c:\program files\AusLogics Disk Defrag
2010-11-22 07:22 . 2010-11-23 03:13 -------- d-----w- c:\program files\SpywareBlaster
2010-11-22 07:21 . 2010-11-22 07:21 -------- d-----w- c:\program files\Alwil Software
2010-11-22 07:12 . 2010-11-24 17:11 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-11-22 05:39 . 2010-11-22 05:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-22 04:15 . 2010-11-25 00:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-22 04:14 . 2010-11-22 04:14 -------- d-----w- c:\program files\CCleaner
2010-11-17 18:21 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{27908A16-217C-4784-B895-4E2FF8FC0214}\mpengine.dll
2010-11-10 15:31 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 16:41 . 2009-10-02 19:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 19:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 19:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 19:48 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 19:48 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 19:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 19:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 19:48 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 19:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 19:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 19:49 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 19:49 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 19:49 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 19:49 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 19:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 17:13 . 2010-08-31 17:13 1409 ----a-w- c:\windows\QTFont.for
2010-08-31 15:46 . 2010-10-14 19:47 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 19:47 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 19:47 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 19:47 2038272 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-05 154392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 4435968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^mae^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-05 11:52 142104 ----a-w- c:\windows\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-05 11:52 138008 ----a-w- c:\windows\System32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 cvhsvc;Client Virtualization Handler; [x]
R2 gupdate;Google Update Service (gupdate); [x]
R2 sftlist;Application Virtualization Client; [x]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 osppsvc;Office Software Protection Platform; [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
R3 sftvsa;Application Virtualization Service Agent; [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\system32\dllhost.exe [2006-11-02 7168]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-11-26 c:\windows\Tasks\User_Feed_Synchronization-{F569103E-64CE-4455-B63B-99F0E34992CA}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to AMV Converter...
IE: Add to Video Converter...
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 09:50
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-11-26 09:53:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-26 15:53
ComboFix2.txt 2010-11-26 07:07
Pre-Run: 230,133,690,368 bytes free
Post-Run: 232,175,984,640 bytes free
- - End Of File - - FC44E6F335A13777B6E427C04D942C5B
jholland1964 650 Posting Expert Team Colleague Featured Poster
I am sure that Crunchie is going to take a look at this log to make sure all was done as it was supposed to, but I have a question, earlier you said this;
I have tried to get completely rid of the AT&T Internet Security so that I could use Avast.
yet it clearly shows in both Combofix logs
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: AT&T Internet Security Suite AT&T Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
but it DOES NOT show in your Uninstall list. Exactly HOW did you try to "get rid" of the AT&T Security Suite because it obviously is not gone.
Also showing in the Combofix logs is
Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} but it shows nowhere in any other log or list. Where is it? Did you know that you had it on the system?
Edited by jholland1964 because: n/a
Tumbleweedracef 44 Posting Pro in Training
If memory serves me right, I went into the computers Uninstall program to uninstall AT&T. But it seems to be parts of it still on the computer and I want to get rid of all of it so I can use just 1 Antispyware program.....Avast. It seems that there were quite a few things that showed up in HijackThis that weren't actually on the computer as fully functioning programs also.
When I first got Avast installed, I turned Windows Defender off in "Services. I wasn't sure if I should delete it or just turn it off ?
Today, after running Combo Fix the last time , I tried to go into the Control Panel, but when I try, a warnning pop's up that says......
EXPLORER.EXE
ILLEGAL OPERATION ATTEMPTED ON A REGISTRY KEY THAT HAS BEEN MARKED FOR DELETION.
So now, I can't get into the Control Panel.
What should I do ?
jholland1964 650 Posting Expert Team Colleague Featured Poster
Have you rebooted the computer since the run and why do you want to go into the Control Panel?
Did you follow Crunchie's instructions exactly?
STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
This WOULD include Windows Defender.
Did you drag the script onto the top of Combofix?
Edited by jholland1964 because: n/a
Tumbleweedracef 44 Posting Pro in Training
I followed Crunchies instructions exactly.
I shut Windows Defender off a week ago. If it's on, then I don't know how ? Can I just delete it ? Do I even need it ?
I rebooted the computer and I can now get into the Control Panel. The reason I tried to get into the Control Panel was to get the EXACT name of the folder that containes all the programs that can be uninstalled on a computer. It has changed since Windows XP( add or remove programs), to (Programs and features) in Windows Vista. Thats all I was doing.
Tumbleweedracef 44 Posting Pro in Training
Wow, I didn't know that those "boots" that are being advertised from Lucyye would help get this computer fixed ?
jholland1964 650 Posting Expert Team Colleague Featured Poster
Wow, I didn't know that those "boots" that are being advertised from Lucyye would help get this computer fixed ?
:D:icon_lol:
you and I will be the only two who know what you are talking about because I deleted that spam post...but your comment, Tumbleweedracef, is hilarious! Glad to see that even with all this you still have a sense of humor.
Maybe those are what is really meant when somebody tells you to "reboot" the computer:icon_lol:
jholland1964 650 Posting Expert Team Colleague Featured Poster
I see or saw that you have Revo Uninstaller on the computer. Use it to look for and remove that AT&T stuff and also have it look for Authentium and RPS. Have it remove all of those it finds.
Tumbleweedracef 44 Posting Pro in Training
LOL....I have thought about a " boot" to the computer !
Do I need Windows Defender ? Will it conflict with Avast ?
Whats next ?
Tumbleweedracef 44 Posting Pro in Training
Revo shows no evedence of AT&T, Authentium or RPS.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.