# MS Updates Blocked; IE Redirect; Virus; Yuk!



## grensuvs (Nov 12, 2010)

Hello,

I've been working on malware problems from a trojan and may be down to the final problem--which is over my head.

I thought my pc was clean but it does not even register the MS Update site: from the Help Center on my pc, when I click Windows updates, I get "The website has encountered a problem and cannot display the page you are trying to view;" if I type in www.update.microsoft.com I get an "Internet Explorer cannot display the webpage" message, but it works from other pc's.

There is a redirect virus which hijacks IE8 and sends to an ad site periodically. Probably related.

I have cleaned multiple times with Malwarebytes, IObit 360, MS latest Malicious Software Tool, Symantec (old), and Ad-Aware and each brought up some junk (or some of the same renamed junk), not just fairly benign cookies, that the others missed. I wanted to check the updates to see if there were some patches, and found that it's blocked. (You will see the malware removal programs in the HiJack This report which I know I should remove some of them, but I'll wait to see what you recommend.)

I have gone through MS's website on the errors and have checked all of their directions: internet connection is fine, MS update sites listed in exceptions for connection, should be a go. When I try to access Win Updates site, now receive a "Security Warning" that says "The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?" Then it lists current site as "res://ieframe.dll" or "http://go.microsoft.com" and Trusted site as http://www.update.microsoft.com. (I click "yes" and get the IE "cannot display" error screen above. No reason that I know of for why it should list those 2 sites as the "current sites" when they're not. Apparently the redirect issue.

In attempts to connect, I've also rec'd the following error codes: 0x8007054c & 0x80072EFE (separately) which is how I started doing some of Microsoft's checks, but they haven't helped much so far.

When I click on Express from the Help Center to check to see what updates are needed, sometimes it seems to start something as the CPU runs up to 92-100% from svchost.exe and then seems to hang: Microsoft KBs said that sometimes the Update scan will cause this. I did check the host file and it only says local as it's supposed to. Killing the svchost.exe when this happens works; when the Updates scan works, this probably won't be a problem as it wasn't b4.

Also, now receive "Generic Host Process for Win32 Services has encountered a problem..." pop up periodically that wasn't the case b4 virus removal.

These viruses--trojans--are aptly named. If you get one, they dump a whole lot of junk, become hydraheaded, keep grabbing, morph, and keep dumping.

Can you please help when anti-malware hasn't worked yet?

I'm sending to this site because web search showed tgh71 on 9/16/10 seemed to have similar problem and was resolved. Hopefully you can with mine too.

I think the redirect was how I got the junk in the first place because when you try to get out, it dumps regardless of what you do. Anti-malware has done nothing with the redirect.

grensuvs

Here's the Hijack file:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:33:12 PM, on 11/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\(name)\Desktop\HIJACKTHIS.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program 
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program 
Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program 
Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program 
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program 
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 
8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" 
/autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: Timer.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - 
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 
Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 
C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network 
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - 
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - 
C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36632AC2-F115-4285-B9D2-B558771C641F} - 
http://articles1.williamoneil.com/install51/install51.cab
O16 - DPF: {4194D6AF-D589-4673-B5E0-6A1222C95588} (CIEAuto Object) - 
http://wondacharts.williamoneil.com/wreport2/ocx/WonIEAutomation.ocx
O16 - DPF: {4CB3C837-368E-4258-BF8F-E12317BF8AD4} (CSysReqs Object) - 
http://www.tfservicecenter.com/TONEUpgradeFiles/090608/sysreqs.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - 
http://jeffco.us/jmap/viewer/mgaxctrl.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - 
http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (PlotWon Control) - 
http://wondacharts.williamoneil.com/wreport2/ocx/plotwon.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - 
https://reutersus.webex.com/client/T26L/training/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support 
Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - 
C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - 
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF 
Agent\ASFAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - 
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec 
AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program 
Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google 
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common 
Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program 
Files\Java\jre6\bin\jqs.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program 
Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program 
Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TF Update - - C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
--
End of file - 8896 bytes


----------



## grensuvs (Nov 12, 2010)

bump


----------



## dvk01 (Dec 14, 2002)

follow advice *here* and post the logs those programs make


----------



## grensuvs (Nov 12, 2010)

Hi--thank you for getting back, dvk01. I will post the logs shortly; I had read the link you referred and understood that I was supposed to post the other logs as the tech pro asked for them so they would be in order.

Can or should I try to download and run these other logs in safe mode? I'm not sure that my computer will do it the regular way; I am getting high cpu (svchost.exe which I can kill in task mgr) and high memory usage (which I don't know how to kill) due to the malware.

What are my other options to produce these logs from an infected pc?

grensuvs


----------



## dvk01 (Dec 14, 2002)

idea;lly do it 9in normal mode
BUT uninstall IOBIT 360 first as that will be clashing with symantec & most likely causing the increased cpu ( 2 antiviruses at the same time always causes problems)


----------



## grensuvs (Nov 12, 2010)

Well I had the whole reply in and apparently password timed out. Nice. So I'll try chunking it:

NEW HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:10:34 AM, on 11/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\(name)\Desktop\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Omomayikovuviya] rundll32.exe "C:\WINDOWS\adeyetof.dll",Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tpokiyalo] rundll32.exe "C:\WINDOWS\VICTMIR.dll",Startup
O4 - HKCU\..\Run: [lRwvxqSjaU.exe] C:\DOCUME~1\(name)~1\LOCALS~1\Temp\lRwvxqSjaU.exe
O4 - HKCU\..\Run: [1789875] C:\DOCUME~1\(name)~1\LOCALS~1\Temp\1789875.exe
O4 - Startup: Timer.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {36632AC2-F115-4285-B9D2-B558771C641F} - http://articles1.williamoneil.com/install51/install51.cab
O16 - DPF: {4194D6AF-D589-4673-B5E0-6A1222C95588} (CIEAuto Object) - http://wondacharts.williamoneil.com/wreport2/ocx/WonIEAutomation.ocx
O16 - DPF: {4CB3C837-368E-4258-BF8F-E12317BF8AD4} (CSysReqs Object) - http://www.tfservicecenter.com/TONEUpgradeFiles/090608/sysreqs.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://jeffco.us/jmap/viewer/mgaxctrl.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (PlotWon Control) - http://wondacharts.williamoneil.com/wreport2/ocx/plotwon.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://reutersus.webex.com/client/T26L/training/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TF Update - - C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
--
End of file - 7172 bytes


----------



## grensuvs (Nov 12, 2010)

getting these other logs to you. Now I'm on another pc.

Tried uploading 2, and when hit reply, malware is blocking Reply. Says "Internet connection problem." Tried entering hotmail and copy/paste text to hotmail to pick up and send from this machine, when I hit send, to send to myself, hotmail says "do you want to navigate to another page and lose this email?". When you hit no, screen goes blank.

Malware is blocking transmittal.

Any advice?

I'll keep trying.

grensuvs


----------



## grensuvs (Nov 12, 2010)

Well, I can log into hotmail with the infected machine, but if I put in the deedeesss file text into the message, malware blocks the send and I get an IE message "Are you sure you want to navigate away from this page? You're about to throw away this message without sending it. Press OK to continue, or Cancel to stay on the current page." Either way, it bumps you off and get a blank screen.

The bottom of the deedeesss file warns of a possible rootkit infection, TDL4, and says use "mbr.exe -f" to fix.

I'll keep trying to get you the files.

grensuvs


----------



## grensuvs (Nov 12, 2010)

Here's from DDS:

IE 8.06001.18702
XP Pro 5.1.2600.3.1252.1.1033.18.2047.1613

_Here's the end of the file that I was able to send through hotmail without the infected computer blocking: (I tried to remove all headers and send, but it blocked that.) _

.ExternalClass .ecxhmmessage P{padding:0px;}.ExternalClass body.ecxhmmessage{font-size:10pt;font-family:Tahoma;}Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340016A rev.3.75 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A968446]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a96e504]; MOV EAX, [0x8a96e580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A957AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A8A6D98]
\Driver\atapi[0x8A94F310] -> IRP_MJ_CREATE -> 0x8A968446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340016A_______________________________3.75____#483343534d434233202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A968292
user != kernel MBR !!! 
sectors 78165358 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.


----------



## grensuvs (Nov 12, 2010)

Since your last post, I uninstalled IOBit as you requested, Ad-Aware since it seemed to be a resource hog, and Symantec, expired. Symantec left remnants in a file folder and Program Files (doesn't show up in Add/Remove). I have Malwarebytes running (as far as I know, as it's hard to tell).

Sent a new Hijack This from after above removal.

Questions on files (assuming I can get them to you)...

Instructions on Techguy website for DDS says "Disable any script blocker you may have running..." --I don't know what that is and don't know how to disable.
For Gmer, says "You must uninstall any CD emulation programs"--again, don't know what this is and don't know how to uninstall... Please advise.

Gmer had a pop-up indicating rootkit acitivity (big surprise at this point). Gmer mentioned mbr.sys file. I look that up and copy what I can when finished.

Also had a pop-up with Ultra Defragger. Regardless of how you try not to launch any of these, they launch, so now have a Christmas present of Ultra Defragger icon and in Prog Files of Ultra Defragger. Haven't tried to remove as waiting for you to advise.

Will see if this sends and continue...

grensuvs


----------



## grensuvs (Nov 12, 2010)

Just rebooted the infected computer because it seems that memory (via Task Mgr) keeps ramping up on many files for no legitimate reason, so hope it will clear b4 I try some things again. Have had 1-3 files, usually svchost.exe, once helpservices.exe, drive cpu usage into 90+% until I kill them.

Needless to say, my pc is hurting and so am I. One doesn't get all this crap, and have it this deep, without it in mind most of 24 hrs/day.

So, I really appreciate your help!

If there is a question where I can read these files and type the answer, please ask.

Also, am not sure how to attach the "Attach" file, as typical approach didn't work. Please advise.

Thank you!!!

grensuvs


----------



## grensuvs (Nov 12, 2010)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-15 04:07:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST340016A rev.3.75
Running: 350db790.exe; Driver: C:\DOCUME~1\(name)~1\LOCALS~1\Temp\pgrorpog.sys

---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\drivers\jsfax.sys entry point in "init" section [0xA85D8189]
init C:\WINDOWS\System32\drivers\NetAlrt.sys entry point in "init" section [0xA43F82A0]
init C:\WINDOWS\System32\drivers\PlatAlrt.sys entry point in "init" section [0xA3F4F2A0]
? C:\DOCUME~1\(name)~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB000A 
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EC000A 
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EA000C 
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A 
.text C:\WINDOWS\System32\svchost.exe[660] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FE000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012B000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 012C000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 012A000C 
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1200] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0129000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 012A000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0128000C 
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[2872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0121000A 
.text C:\WINDOWS\explorer.exe[2872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0122000A 
.text C:\WINDOWS\explorer.exe[2872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0120000C 
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0167000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0168000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0166000C 
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2896] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 8A968292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A968292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A968292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 8A968292
Device \FileSystem\Fastfat \Fat A2C96D20
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340016A_______________________________3.75____#483343534d434233202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; 
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; 
Disk \Device\Harddisk0\DR0 sectors 78165104 (+255): rootkit-like behavior; 
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 363 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt 1124 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 912 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 1984 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 1049 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt 283 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt 110 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt 117 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 1710 bytes
File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 166 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8JCK28AJ\services[1].xml 863 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\b[1].gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\invpos[1].txt 6 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\guy-busts-windshield-out-of-car-with-sword[1].txt 90072 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\7583[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\;cntid=332461;mr=PG;channel=1;subchannel=;nickname=Break.com%20Staff;ispub=1;isLog=0;hpcdp=0;tags=car,road,steal;isBreakHotShot=false;ord=561070649053292[1].4 62 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\demo[1].txt 6 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\tss;sect=tss;chan=asg;subs=;subss=;page=;sz=145x90;tile=1;ord=827381199[1].htm 396 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\tss;sect=tss;chan=asg;subs=;subss=;page=;sz=145x90;tile=4;ord=827381199[1].htm 404 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\tss;sect=tss;chan=asg;subs=;subss=;page=;sz=250x90;dcopt=ist;tile=6;ord=29966865[1].htm 423 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\annel=1;nickname=phenomstylez;hpcdp=0;tags=bust%20windshield,fight,street%20fight,sword,sword%20fight,taxi;u=1925297;cntid=1925297;ord=3743514058499722[1].xml 1224 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\astrokid150x110[1].gif 8167 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DIQS68D7\av;sect=av;subs=;subss=;page=;sz=728x90;dcopt=ist;tile=8;ord=29966865[1].htm 425 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F78XR09I\25149-30[2].htm 1623 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ILIZ1D3S\adholder[1].htm 401 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ILIZ1D3S\1871136987[1].htm 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ILIZ1D3S\login_status[1].php 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\log[1].txt 11 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\log[2].txt 11 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\init[1].js 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\468x60_vegas[1].swf 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\pixel[1].htm 335 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\services[1].xml 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\setter[1].cfm 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\h2_av[1].gif 1679 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\crossdomain[10].xml 204 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\bkg_body[1].gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\cas_blank[1].htm 224 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\twitter[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\120x90_10141831_87470529[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\120x90_10141852_87804812[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\120x90_10192037_87766832[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\bg-brown-interest-tab-buttons-a[1].gif 628 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\stund-best-of-summer-thumb[1].jpg 16349 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\Pug[1].htm 1 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\videoAds[1].js 15428 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\obamabtrmain[1].css 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\237x145_fade_11142002_tropics111410[1].jpg 11758 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\adc_autism_ernie2_300x250[1].swf 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\mob-in-the-mojave[1].jpg 17602 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\front[1].asp 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\353[1].gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\tran1x1[1].gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\tran1x1[2].gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LATQTUN5\yellowpages_lycos_com[1].txt 0 bytes
---- EOF - GMER 1.0.15 ----


----------



## grensuvs (Nov 12, 2010)

Hooray!! The infected pc sent the gmer file through hotmail so I got it to you.

Will go back and work on the dds file; haven't even been able to send in partials other than what I have posted. Obviously I'm not sure what the malware is tagging that bumps off hotmail when it I try to send that file.

Also, still have the Attach text to send and need instructions.

Let me know if you still need either of these before we start, or maybe we can start getting rid of some of this crap, or I should keep working on getting you the full set?

I'm sure I'll be up in the night checking for your instructions.

grensuvs


----------



## grensuvs (Nov 12, 2010)

Just to be complete, remembered that Java is blocked from updating also.

And still getting the "Generic Host Process for Win32 has encountered a problem" message.

All of above began when this malware began.

grensuvs


----------



## grensuvs (Nov 12, 2010)

Hi,

In the interest of giving you as complete a picture as possible, I was looking back on the infected pc to find where I had seen the remnant Symantec file; I don't find them anymore. (Perhaps deleted on a reboot?) 

1) Since AV programs can conflict with scanners to solve problems, so thought I'd mention that I found, under Application Data, Winpatrol, with an empty "Vault" folder, and the following files under Winpatrol: autoexec.bat, config.sys, HOSTS, and temp.reg. Under Documents and Settings, there is a housecall6.6 folder with a lot of files. Neither of these show up in Add/Remove Programs or I would have uninstalled them with the other excess AV/anti-malware.

Could you advise how to uninstall if they might be in the way now or later?

2) Microsoft Interactive Training, in Add/Remove programs, has a red slash through a red circle over it.

3) And the pc doesn't produce any sound from any means, or any kind of sound.

There's the full picture as far as I know it.

Thank you in advance!

grensuvs


----------



## grensuvs (Nov 12, 2010)

I know as I read back through my posts that it sounds like this pc has been neglected for awhile; truly, it has not been. It seems like this malware not only dumps from an opened trojan (which the user can't avoid launching once a screen comes up) but, because of the redirect, also goes out a grabs new malware. Or they just don't get removed by typical AV means, and re-group. I hope I'm not overloading you with info, but I don't know what better to do than to provide all the info that I know, so that your detection and resolution can be easier/quicker. --grensuvs


----------



## dvk01 (Dec 14, 2002)

first step

Run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

post back with its log

you might have to download it to another computer & then transfer it over by using a usb stick as the kaspersky site might be blovked by this malware rootkit


----------



## grensuvs (Nov 12, 2010)

I'm working on getting your log. Connected with the Kaspersky site OK; I think it does it the first time with these kinds of sites--seems like when you go back, it's blocked.

Update: on start up, Ultra Defragger came up; "x"ing to quit makes no difference. PC now gives me a "critical error" at bottom of screen near time, says "Windows can't find hard disk space. Hard drive error." In task mgr., svchost.exe ramped way high in memory, killed it. Also, 1789875.exe and IRwvxqSjaU.exe running in task mgr which really look like malware to me. HijackThis file has both of these in temp folder.

I guess I'm going to reboot b4 trying the utility given the missing hard drive message. 

****

I see that you're in the UK. I'm on Mountain Std Time, US. Could you tell me the beginning and end times that you're usually working on these issues, and I will modify my schedule to fit yours as best as possible?

****

Thanks, thanks, thanks for helping....

grensuvs


----------



## grensuvs (Nov 12, 2010)

Rebooted; Ultra Defragger screen came up; same exe files in Task Mgr; I killed the previously listed 178...exe and IRwv...exe files in Task Mgr; first one killed Ultra Defragger window.

'Don't have the missing harddrive message, but I do have Critical Error now of RAM memory usage critically high; RAM memory failure. I don't see anything high in Task Mgr. to run it up like that...?? 

Not sure if I can run the utility now or not, or if it would even work with no memory to work with...? 

Any ideas?

grensuvs


----------



## grensuvs (Nov 12, 2010)

Still getting hard drive missing error, and high RAM error. Nothing jumps out as resource hog in Task Mgr. Still working on it...


grensuvs


----------



## dvk01 (Dec 14, 2002)

you will continue to get thew errors & problems until you run the tdsskiller

if that won't run then do thsi

Download MBR Check to your desktop


Right click *MBRcheck.exe* and select* Run as Administrator* (Vista) or Double click *MBRcheck.exe* to run it (XP)
It will show a Black screen with some data on it 
it will create a log called MBRcheck_time and date.txt on desktop 
Post that resultant log here please
Do NOT fix anything or run any suggested fix before we see the report


----------



## grensuvs (Nov 12, 2010)

Thanks for quick response.

No, I'm not running or trying to fix anything without your instructions. 

I have just killed (temporarily) obvious stuff in Tsk Mgr. to try to give/allow more resources for your utility recommendations.

Timewise, you are 6 hrs. ahead of me. 

Back in a few, after trying tdsskiller, or if not, mbr. I just didn't know if I should try it anyway on low resources, or what would happen if I did. But I'll try it.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Blocked from unzipping tdsskiller files. I wonder if I renamed it if it would work?

Downloaded and ran mbr file; it produced 1 file. I ran the exe twice to make sure. Think I got the main file, but not the date.txt file.

Not able to get it to you yet (connecting to the internet now doesn't work with that machine so am using this one). Printed the file b4 rebooting. So will type all of it to you if I have to.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Is everything included here, or is there still supposed to be another file?

**************.ExternalClass .ecxhmmessage P{padding:0px;}.ExternalClass body.ecxhmmessage{font-size:10pt;font-family:Tahoma;}

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d
Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x8A8A9000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7989000 intelide.sys
0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798B000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF7451000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7424000 NDIS.sys
0xF7647000 ohci1394.sys
0xF7657000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xF740A000 Mup.sys
0xF7667000 agp440.sys
0xF76F7000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xF76C7000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xB857B000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xB8567000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF77A7000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB8543000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF77AF000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB84D5000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB7C65000 \SystemRoot\system32\drivers\portcls.sys
0xB865A000 \SystemRoot\system32\drivers\drmk.sys
0xB7C42000 \SystemRoot\system32\drivers\ks.sys
0xB7C12000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF79F7000 \SystemRoot\System32\drivers\ctprxy2k.sys
0xB945D000 \SystemRoot\System32\DRIVERS\ctgame.sys
0xB6F9E000 \SystemRoot\System32\DRIVERS\e1000325.sys
0xB87F6000 \SystemRoot\System32\DRIVERS\fdc.sys
0xBA798000 \SystemRoot\System32\DRIVERS\serial.sys
0xF791F000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB6F8A000 \SystemRoot\System32\DRIVERS\parport.sys
0xBA788000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xBA778000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xB6F45000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xB87EE000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xBA768000 \SystemRoot\System32\DRIVERS\imapi.sys
0xB6E26000 \SystemRoot\system32\drivers\smwdm.sys
0xF79F9000 \SystemRoot\system32\drivers\aeaudio.sys
0xB7BBE000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA758000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7927000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB6E0F000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA748000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA738000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xB87C6000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB6DFE000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA728000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xB87BE000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF77EF000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB6DCE000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xBA718000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF77F7000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF77FF000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79FB000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB6D20000 \SystemRoot\System32\DRIVERS\update.sys
0xF793F000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7807000 \SystemRoot\system32\DRIVERS\omci.sys
0xF7817000 \SystemRoot\System32\Drivers\dvd_2K.SYS
0xB6F25000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB6EF5000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7997000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xAB7A6000 \SystemRoot\System32\drivers\ha10kx2k.sys
0xAB785000 \SystemRoot\System32\drivers\ctac32k.sys
0xAB76A000 \SystemRoot\System32\drivers\emupia2k.sys
0xAB744000 \SystemRoot\System32\drivers\ctsfm2k.sys
0xA75F1000 \SystemRoot\System32\drivers\hap16v2k.sys
0xB7B19000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xA83E5000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAAA08000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA8040000 \SystemRoot\System32\Drivers\Null.SYS
0xAAA06000 \SystemRoot\System32\Drivers\Beep.SYS
0xB7B09000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xA84D8000 \SystemRoot\System32\drivers\vga.sys
0xAAA04000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xAAA02000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA754E000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xA84D0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA84C8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA7509000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xA7BEB000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xA74E4000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xA748B000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xA7463000 \SystemRoot\System32\DRIVERS\netbt.sys
0xA7441000 \SystemRoot\System32\drivers\afd.sys
0xA832E000 \SystemRoot\System32\DRIVERS\netbios.sys
0xA7416000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xA73A6000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xA7389000 \SystemRoot\system32\drivers\jsmux.sys
0xA84C0000 \SystemRoot\system32\drivers\jsscan.sys
0xA7E77000 \SystemRoot\System32\Drivers\Fips.SYS
0xA7363000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xA7E67000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xA7E57000 \SystemRoot\System32\DRIVERS\arp1394.sys
0xA7E27000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6F6E000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xA7E17000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xB6F6A000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xA75ED000 \SystemRoot\System32\DRIVERS\IPFilter.sys
0xA84B8000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xA75E5000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0xA734B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79C1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA75CD000 \SystemRoot\System32\drivers\Dxapi.sys
0xA84B0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A86000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04B000 \SystemRoot\System32\ati3d1ag.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA5BFC000 \SystemRoot\System32\DRIVERS\nwlnkipx.sys
0xAAA66000 \SystemRoot\System32\DRIVERS\nwlnknb.sys
0xA8D16000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xA5B57000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xA5AF2000 \SystemRoot\system32\drivers\wdmaud.sys
0xB6ED5000 \SystemRoot\system32\drivers\sysaudio.sys
0xF79D5000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAAA96000 \SystemRoot\system32\drivers\jsfax.sys
0xB6D86000 \??\C:\WINDOWS\System32\drivers\NetAlrt.sys
0xB6569000 \SystemRoot\System32\DRIVERS\nwlnkspx.sys
0xA590C000 \??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
0xA57EC000 \SystemRoot\System32\DRIVERS\srv.sys
0xA5283000 \SystemRoot\System32\Drivers\HTTP.sys
0xA57D0000 \SystemRoot\System32\drivers\ws2ifsl.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll
Processes (total 41):
0 System Idle Process
4 System
664 C:\WINDOWS\SYSTEM32\smss.exe
736 csrss.exe
780 C:\WINDOWS\SYSTEM32\winlogon.exe
828 C:\WINDOWS\SYSTEM32\services.exe
840 C:\WINDOWS\SYSTEM32\lsass.exe
1016 C:\WINDOWS\SYSTEM32\svchost.exe
1108 svchost.exe
1148 C:\WINDOWS\SYSTEM32\svchost.exe
1248 svchost.exe
1376 svchost.exe
1488 C:\WINDOWS\SYSTEM32\spoolsv.exe
1664 svchost.exe
1892 C:\WINDOWS\explorer.exe
2024 C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
376 C:\Program Files\Java\jre6\bin\jqs.exe
524 C:\jetsuite\JSDAEMON.EXE
536 C:\WINDOWS\SYSTEM32\taskmgr.exe
644 C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
748 wdfmgr.exe
1384 C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
1592 C:\Program Files\Intel\ASF Agent\ASFAgent.exe
1836 C:\Program Files\Microsoft Hardware\Mouse\point32.exe
2084 C:\WINDOWS\SYSTEM32\DSentry.exe
2156 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2192 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
2468 alg.exe
2600 C:\WINDOWS\SYSTEM32\wscntfy.exe
2616 C:\WINDOWS\SYSTEM32\CTHELPER.EXE
2744 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
2796 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
2844 C:\WINDOWS\SYSTEM32\rundll32.exe
2888 C:\Program Files\Java\jre6\bin\jusched.exe
3012 C:\WINDOWS\SYSTEM32\ctfmon.exe
3096 C:\WINDOWS\SYSTEM32\rundll32.exe
3424 C:\jetsuite\JETSTAT.EXE
1360 wmiprvse.exe
3580 C:\WINDOWS\SYSTEM32\taskcgr.exe
1948 C:\Documents and Settings\All Users\Application Data\iPmEl02097\iPmEl02097.exe
3508 C:\Documents and Settings\(name)\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)
PhysicalDrive0 Model Number: ST340016A, Rev: 3.75 
Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!


----------



## dvk01 (Dec 14, 2002)

download the tdsskiller.exe from the link I gave before

the zip file is corrupt & many people are having problem,s with it, not just you 
we are trying to let Kaspersky know it is corrupt


----------



## grensuvs (Nov 12, 2010)

I "think" I got this file. Do you still want it?

I say I "think" because I can open it, and the text is short--and we are cautioned not to post it unless asked for, but it doesn't seem like there is anything proprietary... But there must be more to it because the instructions talk about zipping/unzipping it.

I can copy the text, if you want. Or please tell me how to attach an attachment to this website, because copy/paste doesn't seem to work and I don't see a paperclip.


--grensuvs


----------



## grensuvs (Nov 12, 2010)

The malware REALLY doesn't want you to see this file.

It will allow me to email the beginning of the file (which I just did), and the end (which you have). It blocks emailing the middle. But I printed it.

I can reproduce this file for you by copying the beginning and end into an reply to you and typing in the middle. Shall I do that, or is the subject moot?

--grensvus


----------



## grensuvs (Nov 12, 2010)

Same problem: "error reading the file" when trying to extract files from zip.

Is there another source that isn't zipped?

--grensuvs


----------



## dvk01 (Dec 14, 2002)

look at the link
underneath the zip is a link to the .exe file http://support.kaspersky.com/downloads/utils/tdsskiller.exe


----------



## grensuvs (Nov 12, 2010)

OK, so on the link you gave, there is a tdss zip file to download and a tdsskiller exe file to download. I downloaded the zip file 3 times and tried to open: no go. It appeared that the only files in the zip file were the eula and the exe. So, realizing the exe is also on that site, downloaded and clicked on the exe.

First, clicked on the Report button: I can try to get it for you; prob. quicker to type. Not much useful info: OS Version, SP3; Product type: workstation; windows directory and System windows directory: C:\Windows; Processor artchitecture: Intel x86; Number of processors: 1; Page size: 0x1000; Boot type: Normal; Initialize success. That's it.

Kaspersky window then had scan button, which I clicked:

Found "Malicious objects" "Rootkit.Winew.TDSS.tdl4" Physical drive Name: \HardDisk0

Wants to know if I want to Cure, Skip, Copy to Quarantine, or Restore.

I obviously know what I'd like to do! But will wait to see if you see this.

Once that choice is selected, button at bottom says "continue".

No log file at this point. Maybe at end of scan.

****Waiting to see if you want me to Cure or Quarantine****

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Didn't see your post til after mine. Did what you said anyway.

What do you want me to do now with this crap it found?

--grensuvs


----------



## grensuvs (Nov 12, 2010)

typo problem above.

It found: Rootkit.Win32.TDSS.tdl4


----------



## dvk01 (Dec 14, 2002)

CURE

then reboot quickly


----------



## grensuvs (Nov 12, 2010)

I should "cure" then "continue" and let it finish then reboot?

Or "cure" then "continue" and abort it by the reboot?

Not sure what you mean by "quickly"...


----------



## grensuvs (Nov 12, 2010)

Also, "cure" to any other crap it finds, presumably, or maybe it's done?


----------



## grensuvs (Nov 12, 2010)

OK, I'm being a little dense there. Selected "cure" clicked "continue" asked if I wanted to reboot and I clicked on it, so it's rebooting now.


----------



## grensuvs (Nov 12, 2010)

Rebooted and wasn't quick enough to kill those 2 Ult Defragger programs in Tsk Mgr which take over resources, so rebooting again. If I get them temporarily killed in Tsk Mgr right away, I seem to get some "space" to work.


----------



## grensuvs (Nov 12, 2010)

Rebooting and hangs on the shutdown. So probably it's going to require a cold boot.


----------



## grensuvs (Nov 12, 2010)

Rebooted. Killed the 2 files in Tsk Mgr.

Message at bottom says "Critical error: Damaged hard drive clusters detected. Personal data at risk." Something like that. Had that one b4. Doesn't exacly give a person a warm feeling inside... 

Also got a message at bottom "Updates are ready for your comjputer. Click here to install..." Haven't seen that in awhile. Hmmm...

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Rebooted; got the Ultra Defrag files killed right away in Tsk Mgr. No hard drive error messages yet. 

Does the Ultra Defrag malware cause the hard drive problems or that the system thinks there are hard drive problems, therefore messages?

Looks like the pc is ready for the next step.

--grensuvs


----------



## dvk01 (Dec 14, 2002)

next
Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to grensuvs123.exe*

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and  *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## grensuvs (Nov 12, 2010)

Got your last note.

1) How do you know if any AV is running?

I have nothing in the bottom right tray indicating the any AV is running. I have files from .housecall6.6, malwarebytes, and Winpatrol per prevous note on the pc, but can't tell anything more than that.

None of these icons in bottom right; so can I proceed that they're remnants of programs and won't conflict with Combofix?

2) How do I know if there are "script blocking components" anywhere?

I know how to disable the firewall (Windows).

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Well, and I have Kaspersky now.

But I don't see anything to indicate that any of these are real-time scanning (but I'm not sure I'd know if they're doing it but not in the tray at bottom right).

Don't know how to "disable script blocking components of them or firewall" other than just disabling the firewall.

Yes, I am following these instructions VERY closely...

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Did some web searches; decided I didn't have any running AV.

Disable MS firewall.

Clicked grensuvs123 icon on desktop.

Combofix disclaimer came up, clicked "yes."

Blue window opened with a "c:" prompt.

Separate window came up that said "Date error -- check settings" with OK button. Date was 11/16/10 (correct), time was 3:21am which is incorrect, which I haven't been resetting with likely cause of a battery needing replacement.

Clicked OK to check settings; window went away. Blue window went away.

Nothing else happened.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

I updated the time. Restarted. 

Combofix has gotten to the point where it successfully downloaded the Windows Recovery Console.

Blue screen says: Scanning for infected files...may take 10-20 minutes...

Completed Stage_1
Completed Stage_2


Now pop up says PEV.cfxxe has encountered a problem and needs to close. Sorry for the inconvenience. Tell Microsoft or not.

That's where I'm at right now; haven't clicked anything.

So I guess malware is fighting with Combofix.

Awaiting your advice...

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Given those 2 choices, I clicked "Don't send."

Seems to be running again as it's completed Stage_7.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

ComboFix 10-11-16.02 - (name) 11/16/2010 16:02:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1646 [GMT -7:00]
Running from: c:\documents and settings\(name)\Desktop\grensuvs123.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\iPmEl02097
c:\documents and settings\All Users\Application Data\iPmEl02097\iPmEl02097
c:\documents and settings\All Users\Application Data\iPmEl02097\iPmEl02097.exe
c:\documents and settings\(name)\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\(name)\Application Data\completescan
c:\documents and settings\(name)\Application Data\Fiabpo
c:\documents and settings\(name)\Application Data\Fiabpo\susy.dug
c:\documents and settings\(name)\Application Data\Fiabpo\susy.tmp
c:\documents and settings\(name)\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\(name)\g2mdlhlpx.exe
c:\documents and settings\(name)\GoToAssistDownloadHelper.exe
c:\documents and settings\(name)\Local Settings\Application Data\{0A02CA6B-8EA3-4534-AED4-4242F17FA9E9}
c:\documents and settings\(name)\Local Settings\Application Data\{0A02CA6B-8EA3-4534-AED4-4242F17FA9E9}\chrome.manifest
c:\documents and settings\(name)\Local Settings\Application Data\{0A02CA6B-8EA3-4534-AED4-4242F17FA9E9}\chrome\content\_cfg.js
c:\documents and settings\(name)\Local Settings\Application Data\{0A02CA6B-8EA3-4534-AED4-4242F17FA9E9}\chrome\content\overlay.xul
c:\documents and settings\(name)\Local Settings\Application Data\{0A02CA6B-8EA3-4534-AED4-4242F17FA9E9}\install.rdf
c:\windows\adeyetof.dll
c:\windows\settings.reg
c:\windows\system32\drivers\npf.sys
c:\windows\system32\explore.exe
c:\windows\system32\lspF.dll
c:\windows\system32\Packet.dll
c:\windows\system32\Prouycfg.dll
c:\windows\system32\taskcgr.exe
c:\windows\system32\wpcap.dll
c:\windows\VICTMIR.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))
.
2010-11-16 16:13 . 2010-11-16 16:13 82944 ----a-w- c:\windows\system32\drivers\sst8.sys
2010-11-16 16:13 . 2010-11-16 16:13 118784 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\sst7.tmp
2010-11-16 16:13 . 2010-11-16 16:13 0 ----a-w- c:\windows\system32\drivers\sst8.tmp
2010-11-16 08:40 . 2010-11-16 08:40 82944 ----a-w- c:\windows\system32\drivers\sst5.sys
2010-11-16 08:40 . 2010-11-16 08:40 118784 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\sst4.tmp
2010-11-16 08:40 . 2010-11-16 08:40 0 ----a-w- c:\windows\system32\drivers\sst5.tmp
2010-11-16 07:47 . 2010-11-16 07:47 0 ----a-w- c:\windows\system32\lspF.tmp
2010-11-12 12:31 . 2010-11-12 12:31 53248 ----a-w- c:\windows\system32\drivers\sst36.sys
2010-11-12 12:31 . 2010-11-12 12:31 118784 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\sst35.tmp
2010-11-12 12:31 . 2010-11-12 12:31 0 ----a-w- c:\windows\system32\drivers\sst36.tmp
2010-11-10 21:25 . 2010-11-12 11:47 -------- dc----w- c:\windows\system32\DRVSTORE
2010-11-10 21:25 . 2010-11-10 21:25 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-10 21:22 . 2010-11-10 21:22 -------- d-----w- c:\documents and settings\(name)\Local Settings\Application Data\Sunbelt Software
2010-11-10 17:32 . 2010-11-10 17:32 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-09 22:02 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-09 22:02 . 2010-11-09 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-09 22:02 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-09 20:07 . 2010-11-09 20:07 -------- d-----w- c:\documents and settings\(name)\Application Data\WinPatrol
2010-11-09 19:20 . 2010-11-09 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-11-09 19:20 . 2010-11-09 19:20 -------- d-----w- c:\program files\IObit
2010-11-09 18:08 . 2010-11-09 18:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\WhiteSmokeTranslator
2010-11-09 18:02 . 2010-11-09 18:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-11-09 18:02 . 2010-11-09 18:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
2010-11-09 18:01 . 2010-11-09 18:01 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-05 22:22 . 2010-11-05 22:22 11264 ----a-w- c:\windows\DCEBoot.exe
2010-11-05 19:23 . 2010-11-05 19:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-05 02:58 . 2010-11-05 02:58 -------- d-----w- c:\documents and settings\(name)\Application Data\Malwarebytes
2010-11-04 22:07 . 2010-11-16 15:57 0 ----a-w- c:\windows\Fxuneraxi.bin
2010-11-04 22:03 . 2010-11-05 04:13 -------- d-----w- c:\documents and settings\(name)\Application Data\Meywl
2010-11-04 22:03 . 2010-11-05 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\kKjHi02001
2010-11-04 22:03 . 2010-11-05 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-11-04 19:48 . 2010-11-04 19:48 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 18:23 . 2002-08-29 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-08-29 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-08-29 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-08-29 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2002-08-29 11:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 11:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2002-08-29 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2002-08-29 11:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2002-08-29 11:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 14:59 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 11:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-09-20 290816]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2002-09-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"CTHelper"="CTHELPER.EXE" [2002-09-03 24576]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-08-13 40960]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"P17Helper"="P17.dll" [2005-05-03 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-11 149280]
c:\documents and settings\(name)\Start Menu\Programs\Startup\
Timer.exe [2002-8-14 253952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP LaserJet 3150 Status.lnk - c:\jetsuite\JETSTAT.EXE [2003-2-7 147456]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\MktData\\WS_XFER.EXE"=
"c:\\MktData\\ILX.EXE"=
"c:\\Program Files\\Thomson Financial\\Thomson ONE\\sharedrdc.exe"=
"c:\\Program Files\\Thomson Financial\\Thomson ONE\\ThomsonONE.exe"=
R1 jsmux;jsmux;c:\windows\SYSTEM32\DRIVERS\JSMUX.SYS [2/7/2003 10:25 AM 173880]
R1 jsscan;jsscan;c:\windows\SYSTEM32\DRIVERS\JSSCAN.SYS [2/7/2003 10:25 AM 56672]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [8/7/2002 4:34 AM 221184]
R2 jsfax;jsfax;c:\windows\SYSTEM32\DRIVERS\JSFAX.SYS [2/7/2003 10:25 AM 59604]
R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 3:05 PM 39680]
R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 3:06 PM 23744]
R2 TF Update;TF Update;c:\program files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe [11/6/2003 10:54 AM 225329]
R3 ctgame;Game Port;c:\windows\SYSTEM32\DRIVERS\ctgame.sys [3/25/2009 5:57 PM 10368]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/30/2010 8:39 AM 136176]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [6/27/2008 7:21 PM 99352]
S3 COMMONFX;COMMONFX;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [6/27/2008 7:21 PM 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S4 jsdbg;jsdbg;c:\windows\SYSTEM32\DRIVERS\JSDBG.SYS [2/7/2003 10:25 AM 50352]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C6FEE402-7A92-4743-8DFF-89F38C3AFEED}]
2007-07-20 02:44 705 ----a-w- c:\program files\PDFcamp\PDFcampCUCheck.vbs
.
Contents of the 'Scheduled Tasks' folder
2010-11-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-27 15:07]
2010-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 15:39]
2010-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 15:39]
2010-06-19 c:\windows\Tasks\SpriDown.job
- c:\program files\Research Insight\SpriDown.exe [2008-06-04 20:08]
2010-11-16 c:\windows\Tasks\User_Feed_Synchronization-{43FCE88C-2D25-4922-9940-084C3D0A59E4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: ndr.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {36632AC2-F115-4285-B9D2-B558771C641F} - hxxp://articles1.williamoneil.com/install51/install51.cab
DPF: {4194D6AF-D589-4673-B5E0-6A1222C95588} - hxxp://wondacharts.williamoneil.com/wreport2/ocx/WonIEAutomation.ocx
DPF: {4CB3C837-368E-4258-BF8F-E12317BF8AD4} - hxxp://www.tfservicecenter.com/TONEUpgradeFiles/090608/sysreqs.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-RemoteControl - (no file)
HKCU-Run-RemoteCenter - (no file)
HKCU-Run-Tpokiyalo - c:\windows\VICTMIR.dll
HKLM-Run-RemoteCenter - (no file)
HKLM-Run-POINTER - point32.exe
HKLM-Run-Omomayikovuviya - c:\windows\adeyetof.dll
HKLM-Run-GMorphCl - c:\windows\system32\taskcgr.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-16 16:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" /run?Z?A~d???*[email protected][email protected]@@????|[email protected]@?????>??w????H;3?H??????|???|???????|?'?sH;3????????s????????D???????????????????,[email protected]@@?D???`|?w[email protected] 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3759496869-3230869447-1948029799-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1220)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\jetsuite\jsdaemon.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\windows\system32\Rundll32.exe
c:\windows\System32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-16 16:42:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-16 23:42
Pre-Run: 15,615,016,960 bytes free
Post-Run: 16,352,129,024 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - C8F9A6FA136655FF515CBF99087BE289

******

Progress! Thank you!

Next step?

--grensuvs


----------



## grensuvs (Nov 12, 2010)

AV/Internet Security--

Since you've been doing this for awhile, how do you have your computer protected?

On of the next things I need to do b4 going much further with the clean-out is download AV/Int.Security again for my pc. 

What do you use, or from your experience, what programs seem to let the least junk through?

--grensuvs


----------



## dvk01 (Dec 14, 2002)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## grensuvs (Nov 12, 2010)

Hello,

1 file like "[38] Submit" was produced and uploaded/attached to spykiller.

_For privacy, if there are any references of my name or identifying info, could you let me know that you removed them, please, before sending the file around per your post._

During Combofix run, same error of PEV.cfxxe has encountered a problem and needs to close appeared. (Clicked: Don't send.)

Said "webserver appears to be temporarily inaccessible" and "Submissions form created at c:\CF-submit.htm; use it to manually upload later. I have that file but didn't see it then so used the spykiller site.

I have the Combofix .txt log file also, but you didn't ask for it so haven't copied it here cuz I'm thinking you don't need it. But sure can put it here if you want to see it.

What does the quarantine file have to say? (I didn't think it wise to try to open/read it.)

--grensuvs


----------



## grensuvs (Nov 12, 2010)

By the way, if this helps,

1) I never asked for, and don't want the Whitesmoke translator/toolbar or other Whitesmoke files (it came with the mess);

2) I'm not sure what the Google updater type files are for (unless it's part of Earth); I just use google for search without any features. I don't recall nor think I ever set up something that updates google, or with google, on an ongoing basis (task scheduler, etc.).

--grensuvs


----------



## dvk01 (Dec 14, 2002)

If you want me to continue to help, YOU MUST NOT edit any user names or references out from any of the logs 
If you do that we cannot fix the entries, files, folders etc as we don't know what they are

You can sort out google updater etc after we get rid of the malware 
Google always has entries in add/remove programs

Delete any existing cfscript from desktop 
Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. *Post the contents of Combofix.txt in your next reply *.

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## grensuvs (Nov 12, 2010)

Hi dvk01,

The only editing I've done is to replace my real name with "(name)" (a folder title under documents and settings) which I thought was an obvious and irrelevant edit to the repair, and maintains my privacy on the net.

Yes, I definitely want your continued help!

Is there no other option than to have the person's real name all over the internet as part of these log files, which removes privacy, and also specifically conveys to hackers exactly what's on a particular person's computer? 

Starting your next step now,

--grensuvs


----------



## dvk01 (Dec 14, 2002)

Unfortunately that is the one area that we have to have the full & correct folder name to be able to get the files for examination or to be able to delete them

we are keeping everything out of public view as attachmnets in the malware forum can only be seen by the user ( you ) and the authorised malware cleaners and of copursew any mods or forum admin. they are not viewable to anybody else 

I understand your desire for privacy but teh only other option is for you to take the computer to a repair shop & pay for it to be fixed 

Hackers can't get any useful info from teh log files 

you can always attach the combofix.txt to your replies if you woulfd rather do that instead of pasting them in


----------



## grensuvs (Nov 12, 2010)

I'll try attaching the file; otherwise I'll just post it as is.

You'll have it momentarily.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Thanks! I didn't know I could attach files to posts.

I'm attaching combofix file with this reply...

Notes from combofix run (which you already may know, but trying to be helpful):

1) PEV.cfxxe file problem pop-up again.

2) Multi-timer window popped up toward the end of Combofix run. Didn't seem to interfere with combofix running. (This is a short timer file that I did download some years back--just a timer that runs on the desktop.) 

--grensuvs


----------



## dvk01 (Dec 14, 2002)

how is it now

are you still getting any problems or has it all cleared up


----------



## grensuvs (Nov 12, 2010)

Well, the site didn't register my user/passwd or bumped me out for some reason so didn't record the last detailed reply. So I get to retype. Nice. So, in a minute...or more...
--grensuvs


----------



## grensuvs (Nov 12, 2010)

dvk01,

Well, I haven't done anything on my pc without your go-ahead, and it's not even physically hooked to the internet unless I was doing one of your routines. I also haven't download fresh AV as I didn't want to possibly install over malware, so another reason I haven't gotten on the internet much (still using another pc, now). 

Here's what I know:

Positives:

1) Machine resources are running really "quiet" since first combofix. No resource run-ups since the two files previously mentioned in my posts are gone. No hard-drive error messages (so far at least). Huge improvement! Thank you.

2) Connected to Microsoft update site and it ran a check of my pc. Huge improvement! Thank you. It said there were no updates needed, so I don't know if they would download and install.

3) Java said there was an update, so I installed it, and it seemed to work.

4) As I said, though haven't been on the internet much at all, no redirects and pop-ups so far. I seem to recall that when I previously tried to get to the Msft Update site, there would routinely be a redirect, so I'm going to say/hope for now that there is an > 50% probability that that is fixed.


Negatives and Misc.

1) Still no sound from anywhere, anytime, any noise. But I also might not be able test that adequately until tomorrow. (Seems like the start-up Audigy page was uninstalled and that's fine, but I don't know if that would affect sound, or if that's hooked up or unhooked in favor of MediaPlayer or whatever is with Windows with the repair.)

2) Perhaps minor negative, but on reboot, after the Dell screen, the pc always has to go through a black, bios-type-looking screen and it has to choose Win XP Pro, I think. Happens automatically. Then boots Microsoft logo, etc. It never had to go through this intermediate step before. It's like it has boot briefly into safe mode to start.

3) Still have Ultra Defragger icon on desktop and All Programs. Under All Programs, choices are "Ultra Defragger" and "Uninstall Ultra Defragger". Of course, I haven't ever clicked either. Used to be that Explore would show Ultra Defragger folder, but now that seems to be gone. (And the resource-hog startup exe's are gone, thanks again.)

4) Have remnants of several AV security programs on pc. Is there a link you could email to clean out these, b4 I download/install fresh AV security?


to be continued...

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Questions:

1) Should I download AV internet security and run it through some paces (ongoing hook to internet, downloads, etc)?

2) Should I re-run the HJT and other logs you requested at the beginning (right now or after AV security installed?) and see if anything shows up?

Thank you.

--grensvus


----------



## dvk01 (Dec 14, 2002)

the black screen is becasue we installed the recovery console when we first used combofix
it adds about 2 xeconds to boot time but is well worth havinmg if we ever need to replace any files or remove rootkits

download & install an antivirus

try http://www.appremover.com/ to get rid of all bits of left over security program,
then

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

reinstall your sound drivers


----------



## grensuvs (Nov 12, 2010)

I download new antimalware software (AV), first, and then run the cleaner? (Seems like it would be the other order or wouldn't the cleaner remove the new antimalware software?

How do I get rid of the Ultra Defragger listings? Safe to right-click and delete?

--grensuvs


----------



## dvk01 (Dec 14, 2002)

yes just delete them


----------



## grensuvs (Nov 12, 2010)

Just to let you know so you don't think I disappeared, I'm still working on this...

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Still working on it...
--grensuvs


----------



## grensuvs (Nov 12, 2010)

Back on this after celebrating Thanksgiving...
--grensuvs


----------



## grensuvs (Nov 12, 2010)

Still checking.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Hello dvk01,

I am working through your latest instructions.

1) After far too many hours researching new AV (on another pc) from which I didn't learn enough to justify the research, downloaded/installed new AV and started running a quick scan b4 I realized you hadn't instructed it, so cancelled it. 

2) appremover picked up nothing (but the newly installed AV), so still have Symantec bits and Housecall6.6...

3) either during appremover or Combofix removal, new AV popped up window that said I had "Trojan:Win32/Hiloti.gen!D"; I removed it (theoretically). I've seen this one b4, so don't know if the prior removal didn't remove it, or the new AV found it in the Combofix quarantine file or something...

4) removed Combofix.

4) read your spykiller notes,

5) used Secunia: identified 2 KB updates needed for MS which had to do with Office (didn't think not having Office updates could be a security breach); downloaded those and they installed.

6) Secunia also said Adobe Reader had an update from 8.1.2.86 to 8.2, and Adobe Flash needed an update. Started Reader update, and it failed to install. Twice. (Never had a problem with Reader b4 malware attack.)

Have uninstalled Reader totally and am in process of redownload. Haven't tried flash updates yet.

If those install, will visit Windows updates and see if that goes forward (if it's different from above). And run a long scan with new AV.

Question: malware seems to have knocked out the ability of my mouse to pick up that it is set for left hand. (IntelliMouse Explorer 3.0) Under Control Panel/Mouse, the left button is set for right-click and the right button is set at click--which is correct for LH, but it doesn't do it! If I change the setting to default (which sets the buttons the opposite way), and then change it back, it works, but only for that session. So every session it starts backwards...

Is there some other global place that I need to set this? Any ideas?

More later,

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Hi dvk01,

Redownloaded Reader and it seemed to install fine.

I guess I should ask--

Should I be running some antimalware scans now?

I thought it was clean after the Combofixes, but I should have asked. So perhaps the last note about the Hiloti trojan was that it was still there and live?

In any event, after Reader I did a quick scan with Malwarebytes and it came up with 5:

First through third: "PUP.WhiteSmoke" Category=Registry Key, and 1st) HKEY_CLASSES_ROOT\CLSID\...,
2nd) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings...
3rd) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats...

...after all the "..." are numbers and letters which I can get for you if you want them.

Fourth: "Trojan.Agent" in category "file" and it's in c:\documents and settings\username\application data\Adobe\plugs\kb1776687.exe
Fifth: "Malware.Trace" in category "file" and: c:\WINDOWS\SYSTEM32\iexplore.sy_

Mbam has the last 2 checked for removal.

I will keep the pc turned on and left at that screen and hope you see this note sometime tomorrow morning your time and advise if you want me to have Mbam remove those two, or all, or exit out and use your approach.

Awaiting your reply, and thanks,

--grensuvs


----------



## dvk01 (Dec 14, 2002)

let mbam remove whatever it finds

what new AV did you install 

uninstall reader 8 complertely & install the latest version of reader 10 or reader x ( whichever version it suggests when you go to adobe.com & select get reader )


----------



## grensuvs (Nov 12, 2010)

On previous note: I had already uninstalled/reinstalled Reader to the latest version.

AV is MS Security Essentials.

Clicked the other 3 mbam items in mbam window and had it remove all 5. I hope that's what your note meant.


Any recommendations/thoughts on mouse, from previous note?

After rest of updates, can I run full scans?

Should I run HiJackThis again and/or others and send you the reports to see if there is still malware?

--grensuvs


----------



## dvk01 (Dec 14, 2002)

just do regular full scans with MSE & Mbam & let them fix whatever they find

unless they keep finding things then no point in further logs but of they keep findimg things then there is likely to be a hodden dropper still there somewhere


----------



## dvk01 (Dec 14, 2002)

uninstall intelipoint software & download updated version from
http://www.microsoft.com/hardware/d...MK&type=Mouse&name=B75-00113&os=XP_32&lang=en


----------



## grensuvs (Nov 12, 2010)

Thank you, I'll be back later today.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Hello dvk01,

MSE full scan ran clean. Hooray!

Mouse now works. Hooray!

Obviously, I've been getting into and downloading from MS Update...Hooray!!

MS update for Creative Sound Blaster failed to install. Ugh! 

(I have Creative SB Audigy 2, Driver version 1.4.60.) Unfortunately, no sound from MS Media Player either. Will work more on it and get back...

PC running sllooowww... Suggestions? (I regularly delete temp files, r. bin, clean out and defrag via System Tools. And I don't keep history. So not those.)

Running full scan with mbam. Jury's out. B4 I ever typed into this forum, I ran 2 (I think) deep scans with mbam and it cleaned some stuff, but then ran clean when it wasn't. Do you have another recommendation for a good on-demand scan with a different (complimentary) approach than mbam that I can download and try (that won't have a problem with MSE and mbam on board)? I would feel more comfortable if another one came back clean too since mbam gave a false indication b4...

Thank you,

--greensuvs


----------



## dvk01 (Dec 14, 2002)

try Superantispyware (SAS)


----------



## grensuvs (Nov 12, 2010)

Sound still dead. (I have Creative Audigy 2 (no other letters, etc., just "2") card and Cambridge Soundworks 510D speakers.) Still working on it.

Mbam ran clean. 'Don't know that I totally believe it though per previous message; any other suggestion for another scanner with a different approach to make sure?

"Microsoft Interactive Training" has a red circle with line slashed through it. Not sure how to fix that; if I uninstall it and do a Win Update will it download it again?

--grensuvs


----------



## dvk01 (Dec 14, 2002)

I think you need to start a new topic in hardware about the spound


----------



## grensuvs (Nov 12, 2010)

OK on the sound subject. Still dead.

I just got a redirect again this morning, so have updated mbam and will run full and see what it finds. This is after everything is updated and new AV, etc. Maybe there is some sort of "dropper" as you said b4 that kicks off later, or after certain keystrokes...

I hope mbam will identify it...

--grensuvs


----------



## dvk01 (Dec 14, 2002)

lets start again 
Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to username123.exe*

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## grensuvs (Nov 12, 2010)

From my last post, and b4 starting your instructions:

1) mbam reported clean.

2) MSE found something like "trojan: direct.html", which I removed.

Got a redirect again this morning; updated and running MSE.

Read and printed your note. Since I had already started a full version of MSE check, I will run your Combofix instructions, _exactly_ (as I did last time for that matter) once MSE is done.

Thanks for hanging in there until these germs are totally wiped out (or I suppose they're just going to lie in wait to overrule again).

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Changed my mind; didn't see point in letting MSE run and waiting 4+ hrs for full scan, so killed MSE scan and starting your CFix routine...

--grensuvs


----------



## grensuvs (Nov 12, 2010)

Hi dvk01,

Downloaded and installed new Cfix per instructions; after Stage 2 in Cfix window, window popup said: PEV.cfxxe has detected a problem and needs to close..send message to Msoft? I clicked no. Cfix kept running, rebooted the pc.

Now the Windows login window is up and at "To begin, click your user name"--

I don't recall having to do that b4--and it's not in the instructions--so just waited, for close to 20 min. I don't know which way is "dumber" to wait when I should log in or be patient...?

Decided to go ahead and log in.

Cfix window says it's preparing the log report.

So I logged in and that's the only thing I did different from the instructions...

Back soon.

--grensuvs


----------



## grensuvs (Nov 12, 2010)

That PEV.cfxxe sounds like a Combofix file--so did some Cfix file not run, close, and results won't be valid?


----------



## grensuvs (Nov 12, 2010)

Awaiting your instructions...


----------



## dvk01 (Dec 14, 2002)

Nothing showing there
I think we are getting to the limit of what we can do for you on a forum

Do you use a router

REset router to factory settings or set DNS servers on the router to open dns or google dns to make sure that it isn't a hijacked dns setting on router 
I think it must be router as nothing is showing in logs 
see here for a list of public dns serevers
http://hijack-this.co.uk/2010/09/list-of-public-dns-services/
the clearcloud page has quite good instructions on how to set it up on most routers


----------

