Windows Police PRO/Bad virus, need help!

Loneless · 09-10-2009, 08:21 AM

Hello. Earlier today I somehow got this "Windows Police PRO" on my computer. This thing has made me pull my hair out. It will NOT let me run ANY .exe files. When I try to run any exe files, the Windows box comes up asking me what program to open any .exe file with. I cannot run any Anti-virus software. I tried deleting the Windows Police PRO folder, and after a couple of reboots, I can no longer get into Windows. It will log me on, and all I see is my desktop wallpaper. No icons, nothing. CTRL+ALT+DEL does not work. Please help. I have a bunch of excel, powerpoint, and word files I need to keep.

Thank you for reading and any help you can provide. (I am typing this from my personal computer, my infected computer is my work station.)

EDIT #1: I CAN use CTRL+ALT+DEL to get to my task manager. But I still cannot get to my desktop (explorer.exe I suppose)

EDIT #1: I tried rebooting in Safe Mode but I get the same thing. No icons, nothing, just a black background with "Safe Mode" on all 4 corners of my screen. CTRL/ALT/DEL does work. I am able to click on "New Task" and browse around, so I can use this as an 'explorer' to look at files.

Loneless · 09-10-2009, 09:10 AM

Here's my system specs:
Windows XP Home Edition
Intel Pentium 4 Processor 2.8 Ghz
640 RAM

I was able to copy a bunch of my work files (mostly excel, word, powerpoint files) onto a USB drive by using the "Browse" button when I go to "Run Task.." in Task Manager. So if worse comes to worse, I am willing to start from scratch with a new install of windows. I would need help installing windows however.

Edit:
Here is a list of all processes that are running when I boot normally into Windows XP (still cannot see my desktop, except for my wallpaper, and CTRL/ALT/DEL works):

searchfilterhost.exe
searchprotocalhost.exe
taskmgr.exe
alg.exe
searchindexer.exe
ViewpointService.exe
spoolsv.exe
SPBBCSvc.exe
ccEvtMgr.exe
ccEvtMgr.exe
g2tray.exe
svchost.exe
wdfmgr.exe
svchost.exe
svchost.exe
Rtvscan.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winloon.exe
csrss.exe
smss.exe
jqs.exe
g2pre.exe
hasplms.exe
g2comm.exe
g2svc.exe
DefWatch.exe
svchasts.exe
System
System Idle Process

**Ried** · 09-11-2009, 05:13 AM

Hi Loneless,

You're lucky Task Manager is working.

We can work with this, no worries. I would feel better if I had a set of logs before we begin, so I can see what I'm up against. I'd like to ensure I'm only dealing with Windows Police Pro, as additional infections have been known to come along with it.

Download gmer rootkit scanner from here. Save it to your desktop, but change the file extension to .com before saving it. (make sure it has only 1 files extension. ie: saved as .com and not .com.exe

Use Task Manager to browse to it and run it.

An initial scan will automatically begin.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please attach the ark.txt in your next reply

Loneless · 09-11-2009, 07:12 AM

Hello Ried! Thank you for taking the time to look at my post, very much appreciated! Since I have made this post I have made some progress. I can now use .exe files. I was able to get a Hijackthis log, Rootrepeal log, and a Malwarebytes log. Malwarebytes deleted some infected files, and I was able to get Avast! Internet Security (30 day trial) installed and did a full scan, which turned up two more files "Infection: Win32:Trojan-gen" and "Win32:MoPack".

I will run the Gmer Rootkit scanner, and also post all of the hijack/rootrepeal/malwarebytes log too if you want? I am still having problems with my desktop. I still get only a wallpaper, and "explorer" cannot be ran -- as if it is corrupt, or some such.

**Ried** · 09-11-2009, 07:17 AM

You're welcome.

No, those other logs won't be necessary. Just post the log from gmer and run this tool as well - it shall provide me with what I need to see the current state of the system and plan the next course of action.

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.

Post the contents of the dds.txt directly into the reply box.

Attach the ark.txt and Attach.txt to your reply.

Loneless · 09-11-2009, 07:33 AM

You sure are quick Ried, again, much appreciated!

Here is my DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 8:24:09.39 on Fri 09/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.373 [GMT -6:00]

AV: avast! antivirus 4.8.1351 [VPS 090910-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Documents and Settings\User\Desktop\ll1tmw0j.com
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {85ef566d-bab4-405a-be8c-00b5c786fe6c} - bituzepe.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [combofix] c:\windows\system32\cf28919.exe /c c:\ccf\Combobatch.bat
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\zyx\mbam.exe" /runcleanupscript
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [combofix] c:\windows\system32\cf28919.exe /c c:\ccfCombobatch.bat
mRunOnce: [Malwarebytes' Anti-Malware] c:\zyx\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - \\server\netlogon\logon.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-11 138680]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-2-9 6016]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-11 352920]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]

=============== Created Last 30 ================

2009-09-11 06:54 <DIR> --d----- c:\windows\SxsCaPendDel
2009-09-11 06:26 <DIR> --d----- c:\docume~1\user\applic~1\AVG8
2009-09-10 20:23 <DIR> --d-h--- c:\windows\PIF
2009-09-10 19:55 <DIR> --d----- C:\hjtyu
2009-09-10 19:33 <DIR> a-dshr-- C:\cmdcons
2009-09-10 19:31 230,912 a------- c:\windows\PEV.exe
2009-09-10 19:31 161,792 a------- c:\windows\SWREG.exe
2009-09-10 19:31 98,816 a------- c:\windows\sed.exe
2009-09-10 19:31 388,608 a------- c:\windows\system32\CF28919.exe
2009-09-10 19:31 <DIR> --ds---- C:\ccf
2009-09-10 19:29 <DIR> --d----- C:\xhjtHJT
2009-09-10 19:14 <DIR> --d----- C:\zyx
2009-09-10 19:06 <DIR> --d----- c:\windows\pss
2009-09-10 14:59 <DIR> --d----- c:\program files\moits
2009-09-10 14:48 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-09-10 14:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-10 14:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 14:24 <DIR> --d----- c:\program files\Trend Micro
2009-09-10 11:12 <DIR> --d----- C:\HJT
2009-08-12 14:30 268 a---h--- C:\sqmdata19.sqm
2009-08-12 14:30 244 a---h--- C:\sqmnoopt19.sqm

==================== Find3M ====================

2009-06-17 08:31 3,902,784 a------- c:\documents and settings\user\gosetup.exe
2009-05-29 07:18 726,008 a------- c:\documents and settings\user\gotomypc_438.exe

============= FINISH: 8:24:41.53 ===============

And I will attach the "Attach.txt" and "ark.txt" files

**Ried** · 09-11-2009, 07:40 AM

I happen to be online.

Ah, you didn't mention that you ran ComboFix. It looks like it didn't complete. What happened when you ran it? If it did complete, I need to see the log it produced at C:\ComboFix.txt

Loneless · 09-11-2009, 07:49 AM

I can't seem to find my Combofix log Ried, should I run Combo fix again and post the log?

**Ried** · 09-11-2009, 07:53 AM

Yes, but follow these instructions for running it:

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

Avast:

Right click on the avast! icon in system tray (looks like this:

) and choose ( Stop On-Access Protection )

Right click, > Program Settings > Troubleshooting > Tick disable self defense
====================================================

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Loneless · 09-11-2009, 07:56 AM

I cannot get to my system tray Ried, and trying to disable my AV processes only leads to an "The operation could not be completed. Access is denied."

**Ried** · 09-11-2009, 08:11 AM

Sorry for the delay, it took me a while to figure out how to get to the area we need.

Open Task Manager > New Task and browse to desktop>Avast
A small avast panel will open and begin a memory scan. Click 'stop scan'
On the upper left corner, you'll see a small arrow that points upward. Click that>Settings>Troubleshooting and place a tick mark next to 'Disable avast self defense mode' and click OK

Close the avast windows and run ComboFix.

Loneless · 09-11-2009, 08:31 AM

Okay, got the Combofix.txt attached.

ComboFix 09-09-10.03 - User 09/11/2009 9:19.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.343 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090910-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\12442344
c:\documents and settings\All Users\Application Data\12442344\12442344
c:\documents and settings\All Users\Application Data\12442344\12442344.exe
c:\documents and settings\All Users\Application Data\12442344\pc12442344ins
C:\kqbvc.exe
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\bennuar.old
c:\windows\system32\braviax.exe
c:\windows\system32\fesumuye.exe
c:\windows\system32\mapefubo.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sudolufi.dll
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\vahoremo.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\yidayele.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_AntipPro2009_100

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 13:08 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-11 13:08 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-11 13:08 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-11 13:07 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-11 13:07 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-11 13:07 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-11 13:07 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-11 13:07 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-11 13:07 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-11 12:54 . 2009-09-11 13:06 -------- d-----w- c:\windows\SxsCaPendDel
2009-09-11 12:26 . 2009-09-11 12:26 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-09-11 02:23 . 2009-09-11 02:23 -------- d--h--w- c:\windows\PIF
2009-09-11 01:55 . 2009-09-11 01:55 -------- d-----w- C:\hjtyu
2009-09-11 01:31 . 2009-09-11 01:38 -------- d-----w- C:\ccf
2009-09-11 01:29 . 2009-09-11 01:29 -------- d-----w- C:\xhjtHJT
2009-09-11 01:14 . 2009-09-11 12:47 -------- d-----w- C:\zyx
2009-09-10 20:59 . 2009-09-10 20:59 -------- d-----w- c:\program files\moits
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 20:24 . 2009-09-10 20:24 -------- d-----w- c:\program files\Trend Micro
2009-09-10 19:55 . 2009-09-10 19:55 -------- d-----w- c:\program files\Alwil Software
2009-09-10 17:22 . 2009-09-11 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-10 17:12 . 2009-09-10 17:12 -------- d-----w- C:\HJT
2009-09-10 15:03 . 2009-09-10 15:03 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-09-10 15:03 . 2009-09-10 15:03 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-08-14 21:16 . 2009-09-11 12:49 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 12:55 . 2008-03-10 21:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-11 12:55 . 2009-04-02 12:49 -------- d-----w- c:\program files\Yahoo!
2009-09-11 12:53 . 2009-04-28 15:32 -------- d-----w- c:\program files\Winamp
2009-09-11 12:52 . 2009-04-14 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-11 12:50 . 2008-03-10 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-11 12:46 . 2009-02-13 22:33 -------- d-----w- c:\program files\HP
2009-09-11 12:46 . 2009-02-06 13:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-11 12:44 . 2009-04-14 16:11 -------- d-----w- c:\program files\Common Files\AOL
2009-08-12 20:30 . 2009-06-30 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-12 20:30 . 2009-06-30 21:02 -------- d-----w- c:\program files\NOS
2009-07-21 20:24 . 2009-02-09 20:46 -------- d-----w- c:\documents and settings\User\Application Data\U3
2009-06-17 14:31 . 2009-06-17 14:31 3902784 ----a-w- c:\documents and settings\User\gosetup.exe
.

------- Sigcheck -------

[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-10 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 136600]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2006-07-11 49152]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-8-18 282624]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-18 51984]
Shortcut to logon.lnk - \\server\NETLOGON\logon.bat [2007-4-26 141]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 22:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/11/2009 7:07 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/11/2009 7:07 AM 20560]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2/9/2009 4:47 PM 6016]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AUJASNKJ
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\getserver.job
- f:\dcbackups\getserver.bat [2008-08-20 22:53]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-343818398-725345543-1004Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 20:51]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-343818398-725345543-1004UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 20:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{85ef566d-bab4-405a-be8c-00b5c786fe6c} - bituzepe.dll
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\zyx\mbam.exe
HKLM-RunOnce-<NO NAME> - (no file)
Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 09:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2009-09-11 9:26
ComboFix-quarantined-files.txt 2009-09-11 15:26

Pre-Run: 31,960,629,248 bytes free
Post-Run: 32,181,649,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

201 --- E O F --- 2008-03-10 21:40

**Ried** · 09-11-2009, 08:41 AM

Please save this file to your desktop.

In Task Manager>Run copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Loneless · 09-11-2009, 08:49 AM

Log file is located at: C:\Documents and Settings\User\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe

[1] 2007-06-13 05:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)

[1] 2004-08-04 06:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 04:23:07 1033216 C:\WINDOWS\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 04:23:07 1033216 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)

Finished!

**Ried** · 09-11-2009, 08:50 AM

Ok, run ComboFix again and post the log it produces.

Loneless · 09-11-2009, 09:05 AM

ComboFix 09-09-10.03 - User 09/11/2009 9:56.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.368 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090910-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 13:08 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-11 13:08 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-11 13:08 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-11 13:07 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-11 13:07 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-11 13:07 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-11 13:07 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-11 13:07 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-11 13:07 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-11 12:54 . 2009-09-11 13:06 -------- d-----w- c:\windows\SxsCaPendDel
2009-09-11 12:26 . 2009-09-11 12:26 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-09-11 02:23 . 2009-09-11 02:23 -------- d--h--w- c:\windows\PIF
2009-09-11 01:55 . 2009-09-11 01:55 -------- d-----w- C:\hjtyu
2009-09-11 01:31 . 2009-09-11 01:38 -------- d-----w- C:\ccf
2009-09-11 01:29 . 2009-09-11 01:29 -------- d-----w- C:\xhjtHJT
2009-09-11 01:14 . 2009-09-11 12:47 -------- d-----w- C:\zyx
2009-09-10 20:59 . 2009-09-10 20:59 -------- d-----w- c:\program files\moits
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 20:24 . 2009-09-10 20:24 -------- d-----w- c:\program files\Trend Micro
2009-09-10 19:55 . 2009-09-10 19:55 -------- d-----w- c:\program files\Alwil Software
2009-09-10 17:22 . 2009-09-11 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-10 17:12 . 2009-09-10 17:12 -------- d-----w- C:\HJT
2009-09-10 15:03 . 2009-09-10 15:03 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-09-10 15:03 . 2009-09-10 15:03 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-08-14 21:16 . 2009-09-11 12:49 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 12:55 . 2008-03-10 21:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-11 12:55 . 2009-04-02 12:49 -------- d-----w- c:\program files\Yahoo!
2009-09-11 12:53 . 2009-04-28 15:32 -------- d-----w- c:\program files\Winamp
2009-09-11 12:52 . 2009-04-14 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-11 12:50 . 2008-03-10 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-11 12:46 . 2009-02-13 22:33 -------- d-----w- c:\program files\HP
2009-09-11 12:46 . 2009-02-06 13:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-11 12:44 . 2009-04-14 16:11 -------- d-----w- c:\program files\Common Files\AOL
2009-08-12 20:30 . 2009-06-30 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-12 20:30 . 2009-06-30 21:02 -------- d-----w- c:\program files\NOS
2009-07-21 20:24 . 2009-02-09 20:46 -------- d-----w- c:\documents and settings\User\Application Data\U3
2009-06-17 14:31 . 2009-06-17 14:31 3902784 ----a-w- c:\documents and settings\User\gosetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-10 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 136600]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2006-07-11 49152]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-8-18 282624]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-18 51984]
Shortcut to logon.lnk - \\server\NETLOGON\logon.bat [2007-4-26 141]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 22:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/11/2009 7:07 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/11/2009 7:07 AM 20560]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2/9/2009 4:47 PM 6016]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AUJASNKJ
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\getserver.job
- f:\dcbackups\getserver.bat [2008-08-20 22:53]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-343818398-725345543-1004Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 20:51]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-343818398-725345543-1004UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 20:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 10:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2009-09-11 10:03
ComboFix-quarantined-files.txt 2009-09-11 16:03
ComboFix2.txt 2009-09-11 15:26

Pre-Run: 32,186,974,208 bytes free
Post-Run: 32,178,524,160 bytes free

143 --- E O F --- 2008-03-10 21:40

Loneless · 09-11-2009, 09:06 AM

Ried, after running Combofix my desktop is now back! System tray, icons, explorer is working again. What should I do now?

**Ried** · 09-11-2009, 09:09 AM

What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Loneless · 09-11-2009, 09:53 AM

Hi Ried,

Kaspersky is currently scanning. I might step out of the office for 30 or 40 minutes to grab some lunch while the scan does it's thing. (I think it's going to take a while, it's been scanning for 2 minutes and progress is still at 0%)

**Ried** · 09-11-2009, 10:01 AM

That's fine. I need to step away for a couple of hours. Go enjoy a nice leisurely lunch.

Our Communities

Automotive Communities

RV & Travel Trailer Communities

Marine Communities