# Iexplore.exe Virus



## Sportz (Dec 31, 2008)

First off, I would like to say that I am very tech-savvy and tech-oriented, but I have been playing around with this virus for a few hours now and I am unable to get it to go away. I don't know how long I have had this virus or where I got the virus from, but I do know that it has just started to act up recently.

I turned on my computer today to see my desktop completely black, all my icons gone, all the programs in my start menu gone, and task manager inaccessible. I restarted my computer and went into safe mode and my computer was immediately turned off as I entered my login password in safe mode. Thinking maybe there was a power outage or something went wrong, I restarted the computer and went back into safe mode, but the same thing happened. So, I went back into regular Windows (non-safe mode) and went into regedit to delete the registry key that was preventing me from accessing my task manager. Through task manager, I was able to get to command prompt and run rstrui.exe so I could System Restore to yesterday when my computer was acting perfectly normal. The System Restore took MUCH longer than expected (almost 3 hours), but it finally was completed.

In my restored system, all my icons and programs were back and working fine. I then went into Malwarebytes and went to update, but the virus refused to allow me to update my anti-virus. I attempted to go to the Malwarebytes website to manually update my detection files, but the virus kept redirecting me to dating and pornographic websites. After refreshing a few times, I managed to access the Malwarebytes website and manually updated my detection files. I ran a full scan using Malwarebytes and the scan found and removed a file named uJfauDLHaGxJo.exe. I googled this file name to find some information on it, but there is only one page on it: a VirusTotal scan that was submitted yesterday. I am unaware if this virus has anything to do with the iexplore.exe virus I'm running in to.

Now I tried to scan for the virus using Spybot Search & Destroy, but, once again, the virus refused to allow me to update the anti-virus. After encountering another set of dating and pornographic websites on the way to the Spybot website, I managed to manually update my detection files. I then ran a scan, but nothing was found.

Finally, I opened Super Anti-Spyware, and, interestingly, this anti-virus did not have any trouble updating. A full scan using Super Anti-Spyware found 49 tracking cookies, which I removed just to be safe.

So, I thought that maybe if my anti-virus wasn't finding the infected file, I could just disable Internet Explorer to solve the problem. I went to Control Panel --> Programs and Features --> Turn Windows features on or off. The only problem is that I was unable to find where I could disable Internet Explorer in this menu.

So, I am stumped. The iexplore.exe is located in the spot it is supposed to be (C:/Program Files/Internet Explorer), but, obviously, I cannot delete it. When I end the task in task manager, it just respawns as two iexplore.exe processes a few seconds later. Currently, it is draining 819k memory and anywhere from 5%-65% of my CPU at any given time.

Below are my HiJackThis and DDS logs. Please note that I am unable to run GMER because I am running Windows Vista 64-bit.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:21:44 PM, on 9/12/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugin-container.exe
C:\Users\Marc\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - (no file)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6733 bytes

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 7.0.6002.18005
Run by Marc at 15:22:25 on 2011-09-12
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3837.1341 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugin-container.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Marc\Downloads\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/?src=aim
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{D1FE459E-4975-4E1E-A067-86C41C6BCF15} : DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{F8CC756C-921D-456F-8D17-9D8330C65C0E} : DhcpNameServer = 192.168.1.1 71.250.0.12
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB-X64: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\j2yory1m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Windows\SMINST\BLService.exe [2008-6-10 341328]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2011-3-13 245760]
S3 IDSvia64;Symantec Intrusion Prevention Driver;C:\PROGRA~3\Symantec\DEFINI~1\SymcData\ipsdefs\20071204.002\IDSvia64.sys [2008-6-10 251952]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 Symantec Core LC;Symantec Core LC;C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-6-10 1245064]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-19 89920]
.
=============== Created Last 30 ================
.
2011-09-11 21:02:01 -------- d-----w- C:\Users\Marc\AppData\Roaming\SUPERAntiSpyware.com
2011-09-11 21:01:37 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-09-11 21:01:36 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-09-11 04:17:57 -------- d-----w- C:\Program Files\iPod
2011-09-11 04:17:41 -------- d-----w- C:\Program Files\iTunes
2011-09-11 04:17:41 -------- d-----w- C:\Program Files (x86)\iTunes
2011-09-10 02:17:22 -------- d-----w- C:\Program Files\iPod(5841)
2011-09-10 02:17:12 -------- d-----w- C:\Program Files (x86)\iTunes(4541)
2011-09-10 02:13:03 -------- d--h--w- C:\Program Files (x86)\QuickTime(5050)
2011-08-28 07:37:26 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-24 04:15:35 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 04:15:35 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-19 19:38:36 -------- d-----w- C:\Users\Marc\AppData\Local\Facebook
.
==================== Find3M ====================
.
2011-07-12 15:34:00 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-07-12 15:34:00 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-07-12 15:34:00 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-07-12 15:34:00 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-07-12 15:20:54 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-07-06 23:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 15:49:23 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-05 22:37:00 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-06-20 08:45:17 4699536 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-17 20:14:30 1427344 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-17 16:16:33 451072 ----a-w- C:\Windows\System32\winsrv.dll
.
============= FINISH: 15:30:47.50 ===============


----------



## Sportz (Dec 31, 2008)

Can someone please help me?


----------



## kevinf80 (Mar 21, 2006)

You have a corrupt Hosts file that should be reset, do the following:

Copy and paste these lines from within the code box in Notepad.


```
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
```
Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to *"Run as Administrator"* .. the computer will reboot itself.

Next,

Delet the following untrustworthy plugin from Firefox:

FF - plugin: C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll

Next,

Having two entries for *iexplore.exe* is normal if you have Internet Explorer running, if you open more tabs you will see more entries.

Also using 819k memory is less than 1Mb, I would suggest that is quite normal.

I enclose two screen shots from my own system, with IE on start up and when stable.

Next,

I do not see an Antivirus program running, if that is true install the following:

To keep safe when online you need a good *Antivirus/Antspyware/Antimalware/Anti-Rootkit* combination application. *Microsoft Security Essentials* covers all of those bases, but better still it is free. Go *Here* and hit the "Download it free today" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen. Let me know if it finds anything.
Go *Here* for information that will show you how to install and use MSE.

Next,

There appears to be some remnants from an old Norton IS installation, if you no longer have or use Norton then run thier removal utility:

Download and install the Norton removal tool from *Here*

*Alternative link*

Install and run the tool, follow any prompts that are given.

Let me know if Microsoft Security Essentials finds anything, also post a fresh set of DDS logs....

Kevin


----------



## Sportz (Dec 31, 2008)

Hi Kevin,

Alright I did all that you asked and I believe the iexplore.exe virus that I was dealing with is now gone. I am confident that it was a virus because it was using 813,000K (I accidentally said 813k before) memory, random popups were coming up, and it kept changing my default browser from Firefox to IE. I never use IE; I only use Firefox or Chrome, so that is why the iexplore.exe process that kept running seemed malicious to me.

I removed the Norton remnants from my system using the Norton Removal Tool and I flush.bat from my Desktop. I was unable to find the Firefox plugin you spoke about, so I wasn't able to delete that.

The Windows Security Essentials full scan took a little bit over 5 hours, but it removed many malicious things:

1. BrowserModifier:Win32/Zwangi
2. Backdoor:Win32/Cyc!bot.cfg
3. Trojan:JS/Hiloti.B
4. Exploit:Java/CVE-2009-3867.FE
5. Exploit:Java/CVE-2008-5353.KM
6. Exploit:Java/CVE-2008-5353.OZ
7. Exploit:Java/CVE-2010-0840.GZ
8. Exploit:Java/CVE-2010-0840.W
9. Exploit:Java/CVE-2008-5353.JB
10. Exploit:Java/CVE-2008-5353.GN
11. Exploit:Java/CVE-2008-5353.DU
12. Exploit:Java/CVE-2009-3867.GM
13. TrojanOS/Alureon.C
14. TrojanOS/Alureon.C

My Attach.txt is attached to this post and my DDS.txt is shown below:


```
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 7.0.6002.18005
Run by Marc at 15:50:39 on 2011-09-17
Microsoft® Windows Vista Home Premium   6.0.6002.2.1252.1.1033.18.3837.2502 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/?src=aim
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
TB: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{F8CC756C-921D-456F-8D17-9D8330C65C0E} : DhcpNameServer = 192.168.1.1 71.250.0.12
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64:     0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
TB-X64: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB-X64: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\j2yory1m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Windows\SMINST\BLService.exe [2008-6-10 341328]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2011-3-13 245760]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-19 89920]
.
=============== Created Last 30 ================
.
2011-09-16 21:26:51    601424    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{343AC137-FC02-4243-B405-C931CC96862A}\gapaengine.dll
2011-09-16 21:26:40    8862544    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E93D5CC5-DE6F-4FB6-9585-407A839DBF1B}\mpengine.dll
2011-09-16 21:16:44    --------    d-----w-    C:\Program Files (x86)\Microsoft Security Client
2011-09-16 21:16:10    --------    d-----w-    C:\Program Files\Microsoft Security Client
2011-09-16 21:15:18    345984    ----a-w-    C:\Windows\System32\drivers\netio.sys
2011-09-11 21:02:01    --------    d-----w-    C:\Users\Marc\AppData\Roaming\SUPERAntiSpyware.com
2011-09-11 21:01:37    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2011-09-11 21:01:36    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2011-09-11 04:17:57    --------    d-----w-    C:\Program Files\iPod
2011-09-11 04:17:41    --------    d-----w-    C:\Program Files\iTunes
2011-09-11 04:17:41    --------    d-----w-    C:\Program Files (x86)\iTunes
2011-09-10 02:17:22    --------    d-----w-    C:\Program Files\iPod(5841)
2011-09-10 02:17:12    --------    d-----w-    C:\Program Files (x86)\iTunes(4541)
2011-09-10 02:13:03    --------    d--h--w-    C:\Program Files (x86)\QuickTime(5050)
2011-08-28 07:37:26    404640    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-24 04:15:35    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2011-08-24 04:15:35    2048    ----a-w-    C:\Windows\System32\tzres.dll
2011-08-19 19:38:36    --------    d-----w-    C:\Users\Marc\AppData\Local\Facebook
.
==================== Find3M  ====================
.
2011-07-12 15:34:00    96104    ----a-w-    C:\Windows\System32\dns-sd.exe
2011-07-12 15:34:00    85864    ----a-w-    C:\Windows\System32\dnssd.dll
2011-07-12 15:34:00    61288    ----a-w-    C:\Windows\System32\jdns_sd.dll
2011-07-12 15:34:00    212840    ----a-w-    C:\Windows\System32\dnssdX.dll
2011-07-12 15:20:54    83816    ----a-w-    C:\Windows\SysWow64\dns-sd.exe
2011-07-12 15:20:54    73064    ----a-w-    C:\Windows\SysWow64\dnssd.dll
2011-07-12 15:20:54    50536    ----a-w-    C:\Windows\SysWow64\jdns_sd.dll
2011-07-12 15:20:54    178536    ----a-w-    C:\Windows\SysWow64\dnssdX.dll
2011-07-06 23:52:42    41272    ----a-w-    C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 15:49:23    275456    ----a-w-    C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-05 22:37:00    94208    ----a-w-    C:\Windows\SysWow64\QuickTimeVR.qtx
2011-07-05 22:37:00    69632    ----a-w-    C:\Windows\SysWow64\QuickTime.qts
2011-06-20 08:45:17    4699536    ----a-w-    C:\Windows\System32\ntoskrnl.exe
.
============= FINISH: 15:52:01.31 ===============
```


----------



## kevinf80 (Mar 21, 2006)

OK, do the following:

*Step 1*

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
ipconfig /flushdns /c
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll
:Commands
[EmptyFlash]
[EmptyTemp]
[ReBoot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

*Step 2*








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Let me see those two logs, also tell me what issues/concerns remain...

Please do not put the logs in code or quotes, just copy and paste direct to your reply..

Kevin..


----------



## Sportz (Dec 31, 2008)

I am not having any issues or concerns, but I want to be completely sure that I have gotten rid of this virus. If you have any more suggestions, I'll be happy to hear them. Here is my DDS.txt, Malwarebytes log, and OTM log. Attach.txt is attached to this post.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 7.0.6002.18005
Run by Marc at 21:52:27 on 2011-09-17
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3837.1751 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/?src=aim
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
TB: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{F8CC756C-921D-456F-8D17-9D8330C65C0E} : DhcpNameServer = 192.168.1.1 71.250.0.12
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
TB-X64: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB-X64: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\j2yory1m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Windows\SMINST\BLService.exe [2008-6-10 341328]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2011-3-13 245760]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-19 89920]
.
=============== Created Last 30 ================
.
2011-09-17 23:42:24 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-17 23:41:36 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0C787517-6F69-45CE-AE23-29C218FF8F02}\mpengine.dll
2011-09-17 23:19:35 -------- d-----w- C:\_OTM
2011-09-16 21:26:51 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{343AC137-FC02-4243-B405-C931CC96862A}\gapaengine.dll
2011-09-16 21:16:44 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-09-16 21:16:10 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-09-16 21:15:18 345984 ----a-w- C:\Windows\System32\drivers\netio.sys
2011-09-11 21:02:01 -------- d-----w- C:\Users\Marc\AppData\Roaming\SUPERAntiSpyware.com
2011-09-11 21:01:37 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-09-11 21:01:36 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-09-11 04:17:57 -------- d-----w- C:\Program Files\iPod
2011-09-11 04:17:41 -------- d-----w- C:\Program Files\iTunes
2011-09-11 04:17:41 -------- d-----w- C:\Program Files (x86)\iTunes
2011-09-10 02:17:22 -------- d-----w- C:\Program Files\iPod(5841)
2011-09-10 02:17:12 -------- d-----w- C:\Program Files (x86)\iTunes(4541)
2011-09-10 02:13:03 -------- d--h--w- C:\Program Files (x86)\QuickTime(5050)
2011-08-28 07:37:26 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-24 04:15:35 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 04:15:35 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-19 19:38:36 -------- d-----w- C:\Users\Marc\AppData\Local\Facebook
.
==================== Find3M ====================
.
2011-07-12 15:34:00 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-07-12 15:34:00 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-07-12 15:34:00 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-07-12 15:34:00 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-07-12 15:20:54 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-07-06 23:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 15:49:23 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-05 22:37:00 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-06-20 08:45:17 4699536 ----a-w- C:\Windows\System32\ntoskrnl.exe
.
============= FINISH: 21:53:47.90 ===============

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7179

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

9/17/2011 8:43:58 PM
mbam-log-2011-09-17 (20-43-58).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 332659
Time elapsed: 1 hour(s), 17 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

All processes killed
Error: Unable to interpret <ipconfig /flushdns /c> in the current context!
Error: Unable to interpret <C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Marc
->Temp folder emptied: 31002907 bytes
->Temporary Internet Files folder emptied: 89232647 bytes
->Java cache emptied: 1522779 bytes
->FireFox cache emptied: 109051422 bytes
->Flash cache emptied: 2795 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 40362 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33176 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 52832 bytes
RecycleBin emptied: 102718662 bytes

Total Files Cleaned = 318.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 09172011_191935

Files moved on Reboot...

Registry entries deleted on Reboot...


----------



## kevinf80 (Mar 21, 2006)

OK, thanks for the logs. I need you to re-run OTM;

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. Or just re-run OTM if you still have it on your Desktop.

Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll
:Commands
[ClearAllRestorePoints]
[EmptyTemp]
[Reboot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by *Secunia*, available *Here* Before clicking the *Start* scan button, please check the box for the option *Enable thorough system inspection*. Just below the "Scan Options:" section, you'll see the status of what's currently processing....








...when the scan completes, the message "Detection completed successfully" will appear in the *Programs/Result* section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Secunia will should update Java, when it completes make sure to UNinstall the following:

*Java 2 Runtime Environment, SE v1.4.1_03
Java(TM) 6 Update 7*

It is very important that those two above are removed from your system.

Let me see the log from OTM, also tell me if Secunia does any updates. If no more issues we can clean up...:up:

Kevin


----------



## Sportz (Dec 31, 2008)

I was unable to run a Secunia scan because I get the following error: There might be problems loading the Java Applet in your browser.

Also, here is my OTM log:

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Marc\Desktop\cmd.bat deleted successfully.
C:\Users\Marc\Desktop\cmd.txt deleted successfully.
File/Folder C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\plugins\npclntax_ClickPotatoLiteSA.dll not found.
========== COMMANDS ==========

Restore point Set: OTM Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Marc
->Temp folder emptied: 52283 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 52546452 bytes
->Flash cache emptied: 651 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12920 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 50.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 09182011_162134

Files moved on Reboot...

Registry entries deleted on Reboot...


----------



## kevinf80 (Mar 21, 2006)

Try this update checker from Filehippo: http://www.filehippo.com/updatechecker/

How is your system responding? any remaining issues...


----------



## Sportz (Dec 31, 2008)

Alright, I downloaded and installed all of the updates that the update checker wanted me to install. Also, I uninstalled the two Java programs that you wanted me to delete.


Everything seems to be going great with my system. It is functioning very well, but if you have any more suggestions for cleaning up my system, I'll be happy to listen.


----------



## kevinf80 (Mar 21, 2006)

OK, do the following :-

*Step 1*

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.
*It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.*

*Step 2*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.
This will remove tools we have used and itself. *Any tools/logs remaining on the Desktop can be deleted.*

*Step 3*

Download







TFC to your desktop, from either of the following links
*Link 1*
*Link 2*

 Save any open work. TFC will close all open application windows.
 Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select Run as Administartor
 If prompted, click "Yes" to reboot.
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not *Re-boot it yourself to complete cleaning process* *<---- Very Important *

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. *Always remember to re-boot after a run*

Let me know if the above steps complete OK, also if you have any remaining concerns...

Kevin


----------



## Sportz (Dec 31, 2008)

I typed "Combofix /Uninstall" (without the quotes) into the Run menu, but I get an error message stating "Windows cannot find 'Combofix'. Make sure you type the name correctly, and then try again." I spelled it exactly how you stated to spell it, so I am not sure why I am getting this error code.

Because you labeled this as Step #1 and I had Step #1, I didn't proceed to the other steps.


----------



## kevinf80 (Mar 21, 2006)

Continue with step 2, OTC will also remove Combofix files/folders. Navigate to root of C:\ when finished, check if any folders remain such as C:\Combofix or C:\Gotcha, if so delete them. Then do step 3, 
When step 3 completes and you reboot do the following:

1. Click Start
2. Right click Computer > Properties > Choose Advanced System Settings option in left menu listing.
3. If UAC enabled you will get a UAC prompt at this click Continue
4. Click System Protection tab
5. Then Untick any Drive Listed ( see pic below ) and in the popup window click Turn Off System Restore
6. Click Apply > OK










Turn ON System Restore-Vista

1. Click the Vista/Start icon
2. Right Click >> Computer
3. Click Properties.
4. Click the System Protection tab.
5. Checkmark All drives that were selected previously then click Apply.
6. Use the create button to create a new Restore Point, follow the prompts.

Kevin


----------



## Sportz (Dec 31, 2008)

I did all that you asked and everything went fine. I am not experiencing any more issues and I do not have any concerns. Thank you very much for your help! I greatly appreciate it. If you do not have any more suggestions, I will mark this thread as solved.


----------



## kevinf80 (Mar 21, 2006)

Your good to go, take care.....

Kevin :up:


----------

