Help Removing Antivirus System Pro Malware

bdm424 · 10-25-2009, 06:45 PM

Hello all,

I have fallen victim to the Antivirus System Pro malware and I cannot do anything on my PC. Anytime I try to run a program, I get the following error that says:

"Application cannot be executed. The file xxx.exe is infected. Do you want to activate your antivirus software now?"

I read the First Steps on this forum to generate the required reports you want: DDS.txt, Attach.txt, and Ark.txt. However, I cannot get any of these reports because the malware program pops up with the warning message whenever I try to execute the DDS or GMER applications.

Could someone please tell me how to initially get these text reports ran so I can post them and get some help on removing the malware? Do I have to boot my computer in Safe Mode in order to generate these text files?

I am running XP with SP2. My computer is basically useless right now as no programs or IE will run. Any help would be appreciated.

Thanks,
Brian

bdm424 · 10-27-2009, 09:37 PM

So, I booted up in Safe Mode and ran the DDS and GMER tools but could only get the DDS output reports. So, I installed and ran Malwarebytes' Anti-Malware program in hopes of clearing up some issues so I could at least restart in Normal Mode and re-run DDS and GMER to get the output reports.

After running MAM in Safe Mode, I was found to have 23 infected files/registries/etc. I removed these files and rebooted in Normal Mode. At this point, I had my computer back to what seemed like normal; I could open programs without getting error messages and my IE was working again. I updated MAM and re-ran and only got 1 infected file. I removed that file and all seems to be fine.

I think running MAM may have fixed the problem but I ran DDS and GMER and here are the logs for review. If you would like to see the MAM logs, I can attach those as well.

DDS (Ver_09-10-24.04) - NTFSx86
Run by Brian at 19:33:45.51 on Tue 10/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.204 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Brian\Desktop\Malware Fix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://search.msn.com
uWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = about:blank
mStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {FE6BC4EF-5676-484B-88AE-883323913256} - No File
TB: {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [ ] c:\program files\sys28\launch.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Dis] c:\windows\??crosoft.net\l?***.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\sierra\planner\PLNRnote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.919849537
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE910060-8EFB-44B9-B492-75180696643F} - hxxp://www.hotsearchbar.com/toolbar30/hsrb.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [2006-4-24 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]
S3 pnicml;pnicml;c:\docume~1\brian\locals~1\temp\pnicml.sys [2002-9-13 31744]

=============== Created Last 30 ================

2009-10-27 22:12:14 0 d-----w- c:\docume~1\brian\applic~1\Malwarebytes
2009-10-27 22:12:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 22:12:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 22:12:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 22:12:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-24 23:53:41 0 d-----w- c:\program files\wxuvqu

==================== Find3M ====================

2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00:46 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13:32 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:34:33.03 ===============

tetonbob · 10-27-2009, 09:53 PM

Hi -

Yes, please post the log from MBAM, it can be accessed from the Logs tab if you've not saved it elsewhere. Still a couple suspicious entries in the DDS log.

bdm424 · 10-27-2009, 10:30 PM

Here is the MBAM log from the Safe Mode scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

10/27/2009 6:38:12 PM
mbam-log-2009-10-27 (18-38-12).txt

Scan type: Quick Scan
Objects scanned: 110942
Time elapsed: 13 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2ab289ae-4b90-4281-b2ae-1f4bb034b647} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879fa4-4790-461c-a1cc-4ec4de4ca483} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{59879fa4-4790-461c-a1cc-4ec4de4ca483} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wsaupdater.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\wsaupdater.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\wxuvqu\orotsysguard.exe (Fake.SystemTool) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsrb.dll (Trojan.BHO) -> Quarantined and deleted successfully.

And here is the MBAM log from the Normal Mode scan:

Malwarebytes' Anti-Malware 1.41
Database version: 3044
Windows 5.1.2600 Service Pack 2

10/27/2009 7:23:27 PM
mbam-log-2009-10-27 (19-23-27).txt

Scan type: Quick Scan
Objects scanned: 117621
Time elapsed: 15 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\YTHARA9K\op[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

tetonbob · 10-27-2009, 10:40 PM

Let's run this next tool....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

bdm424 · 10-27-2009, 11:21 PM

ComboFix log:

ComboFix 09-10-27.04 - Brian 10/28/2009 1:00.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.177 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Brian\LOCALS~1\Temp\apy
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\settings.dat
c:\program files\Need2Find\bar\Settings\settings.dat.bak
c:\program files\Need2Find\bar\Settings\settings.htm
c:\program files\Need2Find\bar\Settings\settings.htm.bak
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\crosof~1.net
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\Fonts\acrsec.fon
c:\windows\system32\ICON.ico
c:\windows\system32\ymbols~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-10-27 22:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 22:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 00:06 . 2009-10-28 03:27 -------- d-----w- c:\documents and settings\Brian\Application Data\U3
2009-10-24 23:53 . 2009-10-27 22:38 -------- d-----w- c:\program files\wxuvqu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 23:52 . 2003-11-16 08:34 -------- d-----w- c:\program files\KFPSetup
2009-10-16 02:48 . 2005-04-17 17:20 -------- d-----w- c:\documents and settings\Brian\Application Data\WeatherBug
2009-09-25 05:56 . 2004-08-24 01:32 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11 . 2003-11-05 06:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2002-08-29 12:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2002-08-29 01:04 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dis"="c:\windows\??crosoft.NET\l?***.exe" [?]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2005-06-07 1339392]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 413775]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-17 155648]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2005-4-3 172032]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [4/24/2006 10:42 PM 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]
S3 pnicml;pnicml;\??\c:\docume~1\Brian\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Brian\LOCALS~1\Temp\pnicml.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://search.msn.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKCU-Run-c:\program files\Sys28\launch.exe - (no file)
AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 01:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" "="c:\\Program Files\\Sys28\\launch.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\combofix\CF5823.exe
c:\windows\system32\DllHost.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 1:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 05:18

Pre-Run: 17,691,734,016 bytes free
Post-Run: 18,756,100,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 83BF5F0B83C17E3DB52AB9C749D4110C

tetonbob · 10-27-2009, 11:30 PM

Is there a current, active AntiVirus application installed on this machine? I see a couple references to Symantec, but not as much as I might expect.

bdm424 · 10-27-2009, 11:36 PM

I currently have Symantec AntiVirus Corporate Edition. It has been on this machine since around 2003 timeframe.

I have free anti-virus software available through my ISP, Comcast. Should I look at updating to this newer software?

tetonbob · 10-27-2009, 11:42 PM

If Symantec still updates and you can control it, that's fine. I would expect to see more of it running in the logs. Symantec Client requires you connect to a corporate server to receive updates, if I'm not mistaken, but I'm not quite sure. If the engine is still from 2003, and has not been updated, you might want to consider an upgrade. As far as what you can get via Comcast, if it's McAfee, it's pretty much 6 of one, half dozen of the other compared to Symantec...but if you cannot update Symantec, it would be a better, more current solution. Wait for a bit before making that change, and let me know more details in next reply if you can.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Rootkit::
c:\docume~1\Brian\LOCALS~1\Temp\pnicml.sys
Folder::
c:\program files\sys28
Driver::
pnicml
DirLook::
c:\program files\wxuvqu
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dis"=-

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix may request an update; please allow it.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

bdm424 · 10-28-2009, 12:07 AM

ComboFix log:

ComboFix 09-10-27.04 - Brian 10/28/2009 1:50.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.172 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\sys28
c:\program files\sys28\launch.exe
c:\program files\sys28\Striptease.gif
c:\program files\sys28\update.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PNICML
-------\Service_pnicml

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-10-27 22:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 22:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 00:06 . 2009-10-28 03:27 -------- d-----w- c:\documents and settings\Brian\Application Data\U3
2009-10-24 23:53 . 2009-10-27 22:38 -------- d-----w- c:\program files\wxuvqu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 23:52 . 2003-11-16 08:34 -------- d-----w- c:\program files\KFPSetup
2009-10-16 02:48 . 2005-04-17 17:20 -------- d-----w- c:\documents and settings\Brian\Application Data\WeatherBug
2009-09-25 05:56 . 2004-08-24 01:32 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11 . 2003-11-05 06:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2002-08-29 12:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2002-08-29 01:04 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\wxuvqu ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2005-06-07 1339392]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 413775]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-17 155648]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2005-4-3 172032]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [4/24/2006 10:42 PM 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://search.msn.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-c:\program files\Sys28\launch.exe - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 02:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" "="c:\\Program Files\\Sys28\\launch.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\combofix\CF15005.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 2:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 06:05
ComboFix2.txt 2009-10-28 05:18

Pre-Run: 18,775,556,096 bytes free
Post-Run: 18,732,871,680 bytes free

- - End Of File - - 8C1322A2D27090DC522B2AEC3E2327A8

tetonbob · 10-28-2009, 12:13 AM

This folder appears to be empty, and may be a remnant of an older infection. There seems to have been a few quite older infections on this machine.

It can be deleted.

c:\program files\wxuvqu

=====================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 16 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.

J2SE Runtime Environment 5.0 Update 11
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

=====================================

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Also post a new set of DDS logs.

bdm424 · 10-28-2009, 02:45 PM

Here are the three reports: log.txt; dds.txt; and attach.txt

Did you want to see a GMER report as well?

Also, should I remove the ESET files from my computer or is this a tool I will want to use in the future?

log.txt:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b7158d694abafd4e83c7f55c50b98e1d
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-28 06:47:38
# local_time=2009-10-28 02:47:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=1313
# found=1
# cleaned=0
# scan_time=39
C:\D37.tmp Win32/TrojanDownloader.PurityScan.EG trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b7158d694abafd4e83c7f55c50b98e1d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-28 01

31
# local_time=2009-10-28 09

31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=75100
# found=8
# cleaned=0
# scan_time=4614
C:\D37.tmp Win32/TrojanDownloader.PurityScan.EG trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2D0AAF8B-ACFE-4B3B-9838-52B371C573D4}\RP1892\A0081014.exe a variant of Win32/Kryptik.AVZ trojan 00000000000000000000000000000000 I
C:\update\install.exe a variant of Win32/TrojanDownloader.Dyfica trojan 00000000000000000000000000000000 I
C:\WINDOWS\Bolger.dll_tobedeleted Win32/Adware.DLMax application 00000000000000000000000000000000 I
C:\WINDOWS\polmx3.exe Win32/TrojanDownloader.Agent.AE trojan 00000000000000000000000000000000 I
C:\WINDOWS\poltt.exe Win32/TrojanDownloader.Agent.AE trojan 00000000000000000000000000000000 I
C:\WINDOWS\UnstSA2.exe Win32/TrojanDropper.Delf.Z1 trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\DrPMon.dll_tobedeleted probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

dds.txt:

DDS (Ver_09-10-24.04) - NTFSx86
Run by Brian at 16:41:19.00 on Wed 10/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.249 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Sierra\Planner\PLNRnote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Brian\Desktop\Malware Fix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://search.msn.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ ] c:\program files\sys28\launch.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\sierra\planner\PLNRnote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.919849537
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [2006-4-24 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]

=============== Created Last 30 ================

2009-10-28 06:43:00 0 d-----w- c:\program files\ESET
2009-10-28 06:38:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-28 06:38:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 04:58:00 0 d-sha-r- C:\cmdcons
2009-10-28 04:56:48 98816 ----a-w- c:\windows\sed.exe
2009-10-28 04:56:48 77312 ----a-w- c:\windows\MBR.exe
2009-10-28 04:56:48 236544 ----a-w- c:\windows\PEV.exe
2009-10-28 04:56:48 161792 ----a-w- c:\windows\SWREG.exe
2009-10-27 22:12:14 0 d-----w- c:\docume~1\brian\applic~1\Malwarebytes
2009-10-27 22:12:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 22:12:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 22:12:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 22:12:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-09-25 05:56:36 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00:46 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13:32 2057728 ------w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 16:42:05.85 ===============

attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-25.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/5/2003 1:00:56 AM
System Uptime: 10/28/2009 7:41:24 AM (9 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1993/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 17.281 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1819: 7/31/2009 1:11:36 PM - System Checkpoint
RP1820: 8/1/2009 2:11:47 PM - System Checkpoint
RP1821: 8/2/2009 3:11:44 PM - System Checkpoint
RP1822: 8/3/2009 4:11:42 PM - System Checkpoint
RP1823: 8/4/2009 5:11:44 PM - System Checkpoint
RP1824: 8/5/2009 6:11:42 PM - System Checkpoint
RP1825: 8/6/2009 7:11:42 PM - System Checkpoint
RP1826: 8/7/2009 8:11:43 PM - System Checkpoint
RP1827: 8/8/2009 12:00:27 PM - Software Distribution Service 3.0
RP1828: 8/9/2009 12:00:22 PM - Software Distribution Service 3.0
RP1829: 8/10/2009 12:35:35 PM - System Checkpoint
RP1830: 8/11/2009 1:35:35 PM - System Checkpoint
RP1831: 8/12/2009 12:00:21 PM - Software Distribution Service 3.0
RP1832: 8/25/2009 9:54:45 PM - System Checkpoint
RP1833: 8/26/2009 12:00:20 PM - Software Distribution Service 3.0
RP1834: 8/27/2009 12:42:33 PM - System Checkpoint
RP1835: 8/28/2009 1:42:40 PM - System Checkpoint
RP1836: 8/29/2009 2:42:36 PM - System Checkpoint
RP1837: 8/30/2009 2:43:38 PM - System Checkpoint
RP1838: 8/31/2009 3:42:36 PM - System Checkpoint
RP1839: 9/1/2009 4:42:36 PM - System Checkpoint
RP1840: 9/2/2009 12:00:18 PM - Software Distribution Service 3.0
RP1841: 9/3/2009 12:42:34 PM - System Checkpoint
RP1842: 9/4/2009 1:42:37 PM - System Checkpoint
RP1843: 9/5/2009 2:42:39 PM - System Checkpoint
RP1844: 9/6/2009 3:42:34 PM - System Checkpoint
RP1845: 9/7/2009 4:42:34 PM - System Checkpoint
RP1846: 9/8/2009 5:42:36 PM - System Checkpoint
RP1847: 9/9/2009 12:00:18 PM - Software Distribution Service 3.0
RP1848: 9/10/2009 12:14:34 PM - System Checkpoint
RP1849: 9/11/2009 1

15 PM - System Checkpoint
RP1850: 9/12/2009 1:14:30 PM - System Checkpoint
RP1851: 9/13/2009 2:14:28 PM - System Checkpoint
RP1852: 9/14/2009 3:14:28 PM - System Checkpoint
RP1853: 9/15/2009 4:14:29 PM - System Checkpoint
RP1854: 9/16/2009 5:18:39 PM - System Checkpoint
RP1855: 9/17/2009 6:14:32 PM - System Checkpoint
RP1856: 9/18/2009 7:25:49 PM - System Checkpoint
RP1857: 9/19/2009 8:14:34 PM - System Checkpoint
RP1858: 9/20/2009 9:14:34 PM - System Checkpoint
RP1859: 9/21/2009 10:14:38 PM - System Checkpoint
RP1860: 9/22/2009 10:52:44 PM - System Checkpoint
RP1861: 9/23/2009 11:14:32 PM - System Checkpoint
RP1862: 9/25/2009 12:14:36 AM - System Checkpoint
RP1863: 9/26/2009 1:14:35 AM - System Checkpoint
RP1864: 9/27/2009 2:14:37 AM - System Checkpoint
RP1865: 9/28/2009 3:14:32 AM - System Checkpoint
RP1866: 9/28/2009 12:00:18 PM - Software Distribution Service 3.0
RP1867: 9/29/2009 12:11:27 PM - System Checkpoint
RP1868: 9/30/2009 1:11:27 PM - System Checkpoint
RP1869: 10/1/2009 2:11:26 PM - System Checkpoint
RP1870: 10/2/2009 3:11:27 PM - System Checkpoint
RP1871: 10/3/2009 4:11:28 PM - System Checkpoint
RP1872: 10/4/2009 5:11:23 PM - System Checkpoint
RP1873: 10/5/2009 6:11:24 PM - System Checkpoint
RP1874: 10/6/2009 7:23:24 PM - System Checkpoint
RP1875: 10/7/2009 8:11:26 PM - System Checkpoint
RP1876: 10/8/2009 9:11:24 PM - System Checkpoint
RP1877: 10/9/2009 10:11:24 PM - System Checkpoint
RP1878: 10/10/2009 11:11:26 PM - System Checkpoint
RP1879: 10/12/2009 12:11:26 AM - System Checkpoint
RP1880: 10/13/2009 1:11:25 AM - System Checkpoint
RP1881: 10/14/2009 2:11:24 AM - System Checkpoint
RP1882: 10/14/2009 12:00:25 PM - Software Distribution Service 3.0
RP1883: 10/15/2009 12:27:03 PM - System Checkpoint
RP1884: 10/16/2009 12:31:32 PM - System Checkpoint
RP1885: 10/17/2009 1:31:38 PM - System Checkpoint
RP1886: 10/18/2009 2:32:38 PM - System Checkpoint
RP1887: 10/19/2009 3:31:31 PM - System Checkpoint
RP1888: 10/20/2009 4:31:31 PM - System Checkpoint
RP1889: 10/21/2009 5:31:33 PM - System Checkpoint
RP1890: 10/22/2009 6:31:34 PM - System Checkpoint
RP1891: 10/23/2009 7:31:33 PM - System Checkpoint
RP1892: 10/26/2009 2:50:43 PM - System Checkpoint
RP1893: 10/27/2009 8:10:42 PM - System Checkpoint
RP1894: 10/28/2009 2:33:41 AM - Removed J2SE Runtime Environment 5.0 Update 11
RP1895: 10/28/2009 2:37:11 AM - Installed Java(TM) 6 Update 16

==== Installed Programs ======================

Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Ahead Nero Burning ROM
AnswerWorks 4.0 Runtime - English
AutoUpdate
Business Plan Pro 2003
Comcast High-Speed Internet Install Wizard
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Coupon Printer for Windows
Desktop Doctor
DivX
DivX Player
ESET Online Scanner v3
Event Planner
Google Toolbar for Internet Explorer
Hallmark Card Studio 2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hp deskjet 5100
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
Java(TM) 6 Update 16
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MicroSim EVAL 8
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync 3.7
Microsoft Data Access Components KB870669
Microsoft FrontPage Client - English
Microsoft Office XP Professional with FrontPage
Microsoft Visual Studio .NET Professional - English
Microsoft Windows Journal Viewer
MPLAB Tools v7.50
MSN Messenger 7.5
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
PFS Report Viewers
PIC16F690 Lessons
PIC16F887 Lessons
PICkit2 v2.11
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
TurboTax Premier 2007
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
USB Modem Driver
Visual Studio .NET Professional - English
Visual Studio.NET Baseline - English
WeatherBug
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows SA
Windows SR 2.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

==== Event Viewer Messages From Past Week ========

10/28/2009 7:41:57 AM, error: Dhcp [1002] - The IP address lease 192.168.1.114 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/28/2009 2:36:07 AM, error: Dhcp [1002] - The IP address lease 192.168.1.113 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/28/2009 12:59:41 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/28/2009 12:57:21 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/28/2009 1:58:31 AM, error: PlugPlayManager [11] - The device Root\LEGACY_PNICML\0000 disappeared from the system without first being prepared for removal.
10/28/2009 1:15:04 AM, error: Dhcp [1002] - The IP address lease 192.168.1.112 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/27/2009 9:24:36 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000F66F2C67E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
10/26/2009 5:17:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
10/26/2009 2:12:23 PM, error: Dhcp [1002] - The IP address lease 192.168.1.109 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/25/2009 8:30:24 PM, error: Dhcp [1002] - The IP address lease 192.168.1.108 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/25/2009 8:23:38 PM, error: Dhcp [1002] - The IP address lease 192.168.1.107 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/25/2009 8:10:53 PM, error: Dhcp [1002] - The IP address lease 192.168.1.106 for the Network Card with network address 000F66F2C67E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/25/2009 8:05:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/25/2009 8:05:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/25/2009 8:05:14 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 8:05:14 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 8:05:14 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 8:05:14 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/25/2009 8:04:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

tetonbob · 10-28-2009, 03:24 PM

Hi, looks like we have a bit of unfinished business. First, answers to your questions.

Quote:

Did you want to see a GMER report as well?

Not needed, thanks.

Quote:

Also, should I remove the ESET files from my computer or is this a tool I will want to use in the future?

Yes, you may ininstall it from Add or Remove Programs...or keep it and run a scan once in a while in the future. Your choice.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/425637-help-removing-antivirus-system-pro-malware.html#post2415099
Collect::
C:\D37.tmp
C:\update\install.exe
C:\WINDOWS\polmx3.exe
C:\WINDOWS\poltt.exe
C:\WINDOWS\UnstSA2.exe
File::
C:\WINDOWS\Bolger.dll_tobedeleted
C:\WINDOWS\system32\DrPMon.dll_tobedeleted
DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix may request an update; please allow it.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Please let me know if the file was successfully submitted . Thanks.

------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

bdm424 · 10-28-2009, 04:08 PM

ComboFix did request an update which I said "Yes" to and allowed. I got a prompt that ComboFix would restart. I clicked "Yes" and as it was attempting to restart, I got a prompt. The title of the prompt is "Reg2exe" and the message says "Error: File damaged"

The only option on the prompt is a Close button. Do I go ahead and close it? Will this affect the running of ComboFix?

bdm424 · 10-28-2009, 05:25 PM

I went ahead and ran ComboFix even though I got the above message. The upload was successful. The log that opened up only had the below message in it.

log.txt:

Upload was successful

Mod's note, this log was Edited in.

ComboFix 09-10-27.08 - Brian 10/28/2009 19:09:22.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.223 [GMT -4:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt

FILE ::
"C:\WINDOWS\Bolger.dll_tobedeleted"
"C:\WINDOWS\system32\DrPMon.dll_tobedeleted"

file zipped: C:\D37.tmp
file zipped: C:\update\install.exe
file zipped: C:\WINDOWS\polmx3.exe
file zipped: C:\WINDOWS\poltt.exe
file zipped: C:\WINDOWS\UnstSA2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\D37.tmp
C:\update\install.exe
C:\WINDOWS\Bolger.dll_tobedeleted
C:\WINDOWS\polmx3.exe
C:\WINDOWS\poltt.exe
C:\WINDOWS\system32\DrPMon.dll_tobedeleted
C:\WINDOWS\UnstSA2.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-28 06:43:00 . 2009-10-28 06:43:00 0 d-----w- C:\Program Files\ESET
2009-10-28 06:38:07 . 2009-10-28 06:37:32 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-10-28 06:37:16 . 2009-10-28 06:37:16 0 d-----w- C:\Program Files\Java
2009-10-27 22:38:58 . 2007-10-23 13:27:20 110592 ----a-w- C:\Documents and Settings\Brian\Application Data\U3\temp\cleanup.exe
2009-10-27 22:12:14 . 2009-10-27 22:12:14 0 d-----w- C:\Documents and Settings\Brian\Application Data\Malwarebytes
2009-10-27 22:12:10 . 2009-09-10 18:54:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-10-27 22:12:08 . 2009-10-27 22:12:13 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-27 22:12:08 . 2009-10-27 22:12:08 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-27 22:12:08 . 2009-09-10 18:53:50 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-10-26 00

35 . 2008-02-25 17:47:34 3489792 ---ha-w- C:\Documents and Settings\Brian\Application Data\U3\temp\Launchpad Removal.exe
2009-10-26 00

19 . 2009-10-28 03:27:34 0 d-----w- C:\Documents and Settings\Brian\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 17:47:35 . 2005-04-17 17:20:09 0 d-----w- C:\Documents and Settings\Brian\Application Data\WeatherBug
2009-10-24 23:52:44 . 2003-11-16 08:34:28 0 d-----w- C:\Program Files\KFPSetup
2009-09-25 05:56:36 . 2004-08-24 01:32:02 662016 ------w- C:\WINDOWS\system32\wininet.dll
2009-09-25 05:56:32 . 2004-08-04 07:56:42 81920 ------w- C:\WINDOWS\system32\ieencode.dll
2009-09-11 14:33:52 . 2002-08-29 12:00:00 133632 ----a-w- C:\WINDOWS\system32\msv1_0.dll
2009-09-04 20:45:26 . 2002-08-29 12:00:00 58880 ----a-w- C:\WINDOWS\system32\msasn1.dll
2009-08-26 08:16:37 . 2002-08-29 12:00:00 247326 ----a-w- C:\WINDOWS\system32\strmdll.dll
2009-08-05 09:11:47 . 2003-11-05 06:44:03 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll
2009-08-04 14:00:46 . 2002-08-29 12:00:00 2180352 ------w- C:\WINDOWS\system32\ntoskrnl.exe
2009-08-04 13:13:32 . 2002-08-29 01:04:56 2057728 ------w- C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-28_05.14.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 06:38:07 . 2009-10-28 06:37:33 149280 C:\WINDOWS\system32\javaws.exe
+ 2009-10-28 06:38:07 . 2009-10-28 06:37:33 145184 C:\WINDOWS\system32\javaw.exe
+ 2009-10-28 06:38:07 . 2009-10-28 06:37:33 145184 C:\WINDOWS\system32\java.exe
+ 2009-10-28 06:37:26 . 2009-10-28 06:37:26 1757696 C:\WINDOWS\Installer\168da.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 18:58:40 1339392]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 09:43:44 413775]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 14:18:55 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 07:21:18 90112]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 07:50:42 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 10:34:12 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 05:11:42 49152]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 02:56:10 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 20:16:00 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-17 06:20:52 155648]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 14:58:20 1773568]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 18:53:56 1312080]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-28 06:37:35 149280]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2003-10-06 20:16:00 741376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2005-4-3 172032]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\drivers\LxrSG20d.sys [4/24/2006 10:42:31 PM 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 C:\WINDOWS\Tasks\WGASetup.job
- C:\WINDOWS\system32\KB905474\wgasetup.exe [2009-04-29 16:00:41 . 2009-03-11 02:18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://search.msn.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-C:\Program Files\Sys28\launch.exe - (no file)
AddRemove-Windows SR 2.0 - C:\WINDOWS\UnstSA2.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 19:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" "="C:\\Program Files\\Sys28\\launch.exe"
.
Completion time: 2009-10-28 19:20:30
ComboFix-quarantined-files.txt 2009-10-28 23:20:27
ComboFix2.txt 2009-10-28 06

01
ComboFix3.txt 2009-10-28 05:18:36

Pre-Run: 18,531,827,712 bytes free
Post-Run: 18,495,627,264 bytes free

- - End Of File - - B496399AE0337E95581160B41F3FD1DA

tetonbob · 10-28-2009, 05:32 PM

Hi Brian -

Sorry for the delay, was having a bit of dinner, and then trying to decide what you should do. I've edited the complete log into your post.

There's an odd, orphaned entry in the registry, I'd like to get a different look at things.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@echo off
regedit /a peek.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
start notepad peek.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

Also...

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded. If downloaded in IE, click on Run to execute the file.

Click on the "install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, the Trend Micro End User License Agreement should open for you. Click on "I accept".

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------

bdm424 · 10-28-2009, 05:45 PM

I left the JijackThis application open after it was done scanning. Should I close this or will we be needing to make changes to any of the entries?

peek.txt:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
" "="C:\\Program Files\\Sys28\\launch.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\""

HijackThis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:07 PM, on 10/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ ] C:\Program Files\Sys28\launch.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6555 bytes

tetonbob · 10-28-2009, 05:58 PM

Heh, that empty value name seems odd, but we can remove it using HJT

With HijackThis open, place a check next to the following entries if they exist and click Fix Checked

O4 - HKCU\..\Run: [ ] C:\Program Files\Sys28\launch.exe

---------------------------------------------------------------------------------------------

Run a new scan, save, and post the new log.

bdm424 · 10-28-2009, 06:12 PM

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:58 PM, on 10/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6498 bytes

tetonbob · 10-28-2009, 06:15 PM

Good job, that's gone now.

The other item Eset found is in System Restore's cache, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disconnect from the internet and disable your AntiVirus temporarily.

Go to

-> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. This machine is only running Service Pack 2, Service Pack 3 has been out for quite a while, and adds additional security patches.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

10-25-2009, 06:45 PM	#1 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Help Removing Antivirus System Pro Malware Hello all, I have fallen victim to the Antivirus System Pro malware and I cannot do anything on my PC. Anytime I try to run a program, I get the following error that says: "Application cannot be executed. The file xxx.exe is infected. Do you want to activate your antivirus software now?" I read the First Steps on this forum to generate the required reports you want: DDS.txt, Attach.txt, and Ark.txt. However, I cannot get any of these reports because the malware program pops up with the warning message whenever I try to execute the DDS or GMER applications. Could someone please tell me how to initially get these text reports ran so I can post them and get some help on removing the malware? Do I have to boot my computer in Safe Mode in order to generate these text files? I am running XP with SP2. My computer is basically useless right now as no programs or IE will run. Any help would be appreciated. Thanks, Brian __________________ Brian

10-27-2009, 09:53 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,793 OS: 2000 Pro; XP Pro; XP Home	Re: Help Removing Antivirus System Pro Malware Hi - Yes, please post the log from MBAM, it can be accessed from the Logs tab if you've not saved it elsewhere. Still a couple suspicious entries in the DDS log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-27-2009, 10:30 PM	#4 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware Here is the MBAM log from the Safe Mode scan: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 (Safe Mode) 10/27/2009 6:38:12 PM mbam-log-2009-10-27 (18-38-12).txt Scan type: Quick Scan Objects scanned: 110942 Time elapsed: 13 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 11 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\rxresult.rxresultfilter (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\rxresult.rxresultfilter.1 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2ab289ae-4b90-4281-b2ae-1f4bb034b647} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879fa4-4790-461c-a1cc-4ec4de4ca483} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{59879fa4-4790-461c-a1cc-4ec4de4ca483} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wsaupdater.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\wsaupdater.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\wxuvqu\orotsysguard.exe (Fake.SystemTool) -> Quarantined and deleted successfully. C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hsrb.dll (Trojan.BHO) -> Quarantined and deleted successfully. And here is the MBAM log from the Normal Mode scan: Malwarebytes' Anti-Malware 1.41 Database version: 3044 Windows 5.1.2600 Service Pack 2 10/27/2009 7:23:27 PM mbam-log-2009-10-27 (19-23-27).txt Scan type: Quick Scan Objects scanned: 117621 Time elapsed: 15 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\YTHARA9K\op[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully. __________________ Brian

10-27-2009, 10:40 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,793 OS: 2000 Pro; XP Pro; XP Home	Re: Help Removing Antivirus System Pro Malware Let's run this next tool.... Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Place combofix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. You can get help on disabling your protection programs here Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-27-2009, 11:21 PM	#6 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware ComboFix log: ComboFix 09-10-27.04 - Brian 10/28/2009 1:00.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.177 [GMT -4:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\Brian\LOCALS~1\Temp\apy c:\program files\Need2Find c:\program files\Need2Find\bar\History\search c:\program files\Need2Find\bar\Settings\settings.dat c:\program files\Need2Find\bar\Settings\settings.dat.bak c:\program files\Need2Find\bar\Settings\settings.htm c:\program files\Need2Find\bar\Settings\settings.htm.bak c:\windows\COUPON~1.OCX c:\windows\CouponPrinter.ocx c:\windows\crosof~1.net c:\windows\Downloaded Program Files\CpnMgr.dll c:\windows\Fonts\acrsec.fon c:\windows\system32\ICON.ico c:\windows\system32\ymbols~1 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SVCPROC ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 ))))))))))))))))))))))))))))))) . 2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes 2009-10-27 22:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-27 22:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-26 00:06 . 2009-10-28 03:27 -------- d-----w- c:\documents and settings\Brian\Application Data\U3 2009-10-24 23:53 . 2009-10-27 22:38 -------- d-----w- c:\program files\wxuvqu . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-24 23:52 . 2003-11-16 08:34 -------- d-----w- c:\program files\KFPSetup 2009-10-16 02:48 . 2005-04-17 17:20 -------- d-----w- c:\documents and settings\Brian\Application Data\WeatherBug 2009-09-25 05:56 . 2004-08-24 01:32 662016 ----a-w- c:\windows\system32\wininet.dll 2009-09-25 05:56 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll 2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-05 09:11 . 2003-11-05 06:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 14:00 . 2002-08-29 12:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 13:13 . 2002-08-29 01:04 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dis"="c:\windows\??crosoft.NET\l?**.exe" [?] "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2005-06-07 1339392] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 413775] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-17 155648] "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2005-4-3 172032] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [4/24/2006 10:42 PM 68672] S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?] S3 pnicml;pnicml;\??\c:\docume~1\Brian\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Brian\LOCALS~1\Temp\pnicml.sys [?] --- Other Services/Drivers In Memory --- Deregistered* - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-28 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.comcast.net/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://search.msn.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.comcast.net/ mSearch Bar = about:blank mWindow Title = Windows Internet Explorer provided by Comcast uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: turbotax.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe HKCU-Run-c:\program files\Sys28\launch.exe - (no file) AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-28 01:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] " "="c:\\Program Files\\Sys28\\launch.exe" . ------------------------ Other Running Processes ------------------------ . c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\WgaTray.exe c:\combofix\CF5823.exe c:\windows\system32\DllHost.exe c:\combofix\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-28 1:18 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-28 05:18 Pre-Run: 17,691,734,016 bytes free Post-Run: 18,756,100,096 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 83BF5F0B83C17E3DB52AB9C749D4110C __________________ Brian

10-27-2009, 11:30 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,793 OS: 2000 Pro; XP Pro; XP Home	Re: Help Removing Antivirus System Pro Malware Is there a current, active AntiVirus application installed on this machine? I see a couple references to Symantec, but not as much as I might expect. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-27-2009, 11:36 PM	#8 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware I currently have Symantec AntiVirus Corporate Edition. It has been on this machine since around 2003 timeframe. I have free anti-virus software available through my ISP, Comcast. Should I look at updating to this newer software? __________________ Brian

10-28-2009, 12:07 AM	#10 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware ComboFix log: ComboFix 09-10-27.04 - Brian 10/28/2009 1:50.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.172 [GMT -4:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\sys28 c:\program files\sys28\launch.exe c:\program files\sys28\Striptease.gif c:\program files\sys28\update.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PNICML -------\Service_pnicml ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 ))))))))))))))))))))))))))))))) . 2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes 2009-10-27 22:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-27 22:12 . 2009-10-27 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-27 22:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-26 00:06 . 2009-10-28 03:27 -------- d-----w- c:\documents and settings\Brian\Application Data\U3 2009-10-24 23:53 . 2009-10-27 22:38 -------- d-----w- c:\program files\wxuvqu . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-24 23:52 . 2003-11-16 08:34 -------- d-----w- c:\program files\KFPSetup 2009-10-16 02:48 . 2005-04-17 17:20 -------- d-----w- c:\documents and settings\Brian\Application Data\WeatherBug 2009-09-25 05:56 . 2004-08-24 01:32 662016 ------w- c:\windows\system32\wininet.dll 2009-09-25 05:56 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll 2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-05 09:11 . 2003-11-05 06:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 14:00 . 2002-08-29 12:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 13:13 . 2002-08-29 01:04 2057728 ------w- c:\windows\system32\ntkrnlpa.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\program files\wxuvqu ---- ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2005-06-07 1339392] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 413775] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-17 155648] "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2005-4-3 172032] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [4/24/2006 10:42 PM 68672] S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-28 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.comcast.net/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://search.msn.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.comcast.net/ mSearch Bar = about:blank mWindow Title = Windows Internet Explorer provided by Comcast uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: turbotax.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - HKCU-Run-c:\program files\Sys28\launch.exe - (no file) ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-28 02:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] " "="c:\\Program Files\\Sys28\\launch.exe" . ------------------------ Other Running Processes ------------------------ . c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\combofix\CF15005.exe c:\windows\system32\WgaTray.exe c:\windows\system32\wscntfy.exe c:\combofix\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-28 2:06 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-28 06:05 ComboFix2.txt 2009-10-28 05:18 Pre-Run: 18,775,556,096 bytes free Post-Run: 18,732,871,680 bytes free - - End Of File - - 8C1322A2D27090DC522B2AEC3E2327A8 __________________ Brian

10-28-2009, 12:13 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,793 OS: 2000 Pro; XP Pro; XP Home	Re: Help Removing Antivirus System Pro Malware This folder appears to be empty, and may be a remnant of an older infection. There seems to have been a few quite older infections on this machine. It can be deleted. c:\program files\wxuvqu ===================================== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 16 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -" Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. J2SE Runtime Environment 5.0 Update 11 Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. ===================================== Please run this online scan to help look for remnants. Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. Also post a new set of DDS logs. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-28-2009, 04:08 PM	#14 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware ComboFix did request an update which I said "Yes" to and allowed. I got a prompt that ComboFix would restart. I clicked "Yes" and as it was attempting to restart, I got a prompt. The title of the prompt is "Reg2exe" and the message says "Error: File damaged" The only option on the prompt is a Close button. Do I go ahead and close it? Will this affect the running of ComboFix? __________________ Brian

10-28-2009, 05:25 PM	#15 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware I went ahead and ran ComboFix even though I got the above message. The upload was successful. The log that opened up only had the below message in it. log.txt: Upload was successful Mod's note, this log was Edited in. ComboFix 09-10-27.08 - Brian 10/28/2009 19:09:22.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.223 [GMT -4:00] Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt FILE :: "C:\WINDOWS\Bolger.dll_tobedeleted" "C:\WINDOWS\system32\DrPMon.dll_tobedeleted" file zipped: C:\D37.tmp file zipped: C:\update\install.exe file zipped: C:\WINDOWS\polmx3.exe file zipped: C:\WINDOWS\poltt.exe file zipped: C:\WINDOWS\UnstSA2.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\D37.tmp C:\update\install.exe C:\WINDOWS\Bolger.dll_tobedeleted C:\WINDOWS\polmx3.exe C:\WINDOWS\poltt.exe C:\WINDOWS\system32\DrPMon.dll_tobedeleted C:\WINDOWS\UnstSA2.exe . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 ))))))))))))))))))))))))))))))) . 2009-10-28 06:43:00 . 2009-10-28 06:43:00 0 d-----w- C:\Program Files\ESET 2009-10-28 06:38:07 . 2009-10-28 06:37:32 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll 2009-10-28 06:37:16 . 2009-10-28 06:37:16 0 d-----w- C:\Program Files\Java 2009-10-27 22:38:58 . 2007-10-23 13:27:20 110592 ----a-w- C:\Documents and Settings\Brian\Application Data\U3\temp\cleanup.exe 2009-10-27 22:12:14 . 2009-10-27 22:12:14 0 d-----w- C:\Documents and Settings\Brian\Application Data\Malwarebytes 2009-10-27 22:12:10 . 2009-09-10 18:54:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2009-10-27 22:12:08 . 2009-10-27 22:12:13 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware 2009-10-27 22:12:08 . 2009-10-27 22:12:08 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-10-27 22:12:08 . 2009-09-10 18:53:50 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys 2009-10-26 0035 . 2008-02-25 17:47:34 3489792 ---ha-w- C:\Documents and Settings\Brian\Application Data\U3\temp\Launchpad Removal.exe 2009-10-26 0019 . 2009-10-28 03:27:34 0 d-----w- C:\Documents and Settings\Brian\Application Data\U3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-28 17:47:35 . 2005-04-17 17:20:09 0 d-----w- C:\Documents and Settings\Brian\Application Data\WeatherBug 2009-10-24 23:52:44 . 2003-11-16 08:34:28 0 d-----w- C:\Program Files\KFPSetup 2009-09-25 05:56:36 . 2004-08-24 01:32:02 662016 ------w- C:\WINDOWS\system32\wininet.dll 2009-09-25 05:56:32 . 2004-08-04 07:56:42 81920 ------w- C:\WINDOWS\system32\ieencode.dll 2009-09-11 14:33:52 . 2002-08-29 12:00:00 133632 ----a-w- C:\WINDOWS\system32\msv1_0.dll 2009-09-04 20:45:26 . 2002-08-29 12:00:00 58880 ----a-w- C:\WINDOWS\system32\msasn1.dll 2009-08-26 08:16:37 . 2002-08-29 12:00:00 247326 ----a-w- C:\WINDOWS\system32\strmdll.dll 2009-08-05 09:11:47 . 2003-11-05 06:44:03 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll 2009-08-04 14:00:46 . 2002-08-29 12:00:00 2180352 ------w- C:\WINDOWS\system32\ntoskrnl.exe 2009-08-04 13:13:32 . 2002-08-29 01:04:56 2057728 ------w- C:\WINDOWS\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((( SnapShot@2009-10-28_05.14.11 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-28 06:38:07 . 2009-10-28 06:37:33 149280 C:\WINDOWS\system32\javaws.exe + 2009-10-28 06:38:07 . 2009-10-28 06:37:33 145184 C:\WINDOWS\system32\javaw.exe + 2009-10-28 06:38:07 . 2009-10-28 06:37:33 145184 C:\WINDOWS\system32\java.exe + 2009-10-28 06:37:26 . 2009-10-28 06:37:26 1757696 C:\WINDOWS\Installer\168da.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 18:58:40 1339392] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 09:43:44 413775] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 14:18:55 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 07:21:18 90112] "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 07:50:42 155648] "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 10:34:12 172032] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 05:11:42 49152] "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 02:56:10 40960] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 20:16:00 5058560] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-17 06:20:52 155648] "tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 14:58:20 1773568] "Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 18:53:56 1312080] "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-28 06:37:35 149280] "nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2003-10-06 20:16:00 741376] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2005-4-3 172032] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\drivers\LxrSG20d.sys [4/24/2006 10:42:31 PM 68672] S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-28 C:\WINDOWS\Tasks\WGASetup.job - C:\WINDOWS\system32\KB905474\wgasetup.exe [2009-04-29 16:00:41 . 2009-03-11 02:18:08] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.comcast.net/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://search.msn.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.comcast.net/ mSearch Bar = about:blank mWindow Title = Windows Internet Explorer provided by Comcast uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: turbotax.com DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab . - - - - ORPHANS REMOVED - - - - HKCU-Run-C:\Program Files\Sys28\launch.exe - (no file) AddRemove-Windows SR 2.0 - C:\WINDOWS\UnstSA2.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-28 19:17:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] " "="C:\\Program Files\\Sys28\\launch.exe" . Completion time: 2009-10-28 19:20:30 ComboFix-quarantined-files.txt 2009-10-28 23:20:27 ComboFix2.txt 2009-10-28 0601 ComboFix3.txt 2009-10-28 05:18:36 Pre-Run: 18,531,827,712 bytes free Post-Run: 18,495,627,264 bytes free - - End Of File - - B496399AE0337E95581160B41F3FD1DA __________________ Brian Last edited by tetonbob; 10-28-2009 at 05:27 PM. Reason: edited in the log.

10-28-2009, 05:45 PM	#17 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware I left the JijackThis application open after it was done scanning. Should I close this or will we be needing to make changes to any of the entries? peek.txt: REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1" " "="C:\\Program Files\\Sys28\\launch.exe" "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\"" "swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\"" HijackThis.log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:42:07 PM, on 10/28/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\DllHost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [ ] C:\Program Files\Sys28\launch.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6555 bytes __________________ Brian

10-28-2009, 05:58 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,793 OS: 2000 Pro; XP Pro; XP Home	Re: Help Removing Antivirus System Pro Malware Heh, that empty value name seems odd, but we can remove it using HJT With HijackThis open, place a check next to the following entries if they exist and click Fix Checked O4 - HKCU\..\Run: [ ] C:\Program Files\Sys28\launch.exe --------------------------------------------------------------------------------------------- Run a new scan, save, and post the new log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-28-2009, 06:12 PM	#19 (permalink)
bdm424 Registered User Join Date: Feb 2009 Location: Vermont Posts: 21 OS: XP SP2	Re: Help Removing Antivirus System Pro Malware HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:09:58 PM, on 10/28/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\DllHost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6498 bytes __________________ Brian

10-28-2009, 06:15 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,793 OS: 2000 Pro; XP Pro; XP Home	Re: Help Removing Antivirus System Pro Malware Good job, that's gone now. The other item Eset found is in System Restore's cache, and will be addressed by uninstalling ComboFix as instructed below. Other than that....We should be done here. Some final housekeeping instructions, and protection information for you. Your logs appear clean.You should be good to go. We still have a few items to address. Disconnect from the internet and disable your AntiVirus temporarily. Go to -> Run -> copy/paste in the following single line command & click OK ComboFix /Uninstall This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Re-enable your AntiVirus now. Reconnect to the internet at your leisure. Delete any remaining tools we've used (DDS and GMER) and logs from them. Empty your Recycle Bin. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. This machine is only running Service Pack 2, Service Pack 3 has been out for quite a while, and adds additional security patches. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009