# To Help Protect Your Security, Internet Explorer has blocked this website....



## nerythebest (Jan 17, 2009)

To Help Protect Your Security, Internet Explorer has blocked this website from displaying content with security certificate errors. Click here for options...

So I been getting this same thing on almost everysingle website I go to. Thi pop-up is always on even when I turn off pop ups and I don't relally know how to stop this annoying thing. There is also a sound eveytime it comes up, it usually comes up after like 2 seconds of just getting into a website. I'm running XP and IE 7.


----------



## leroys1000 (Aug 16, 2007)

In internet explorer,click tools/internet options.
Click the security tab.
Uncheck enable protected mode.
Click apply/ok.
See if that helps.
If the menu is not showing,right click the top of
the window and click menu.


----------



## nerythebest (Jan 17, 2009)

There is no such thing as enable protected mode in the security tab.


----------



## leroys1000 (Aug 16, 2007)

Sure your using ie7?
http://pcsupport.about.com/od/fixtheproblem/ht/protectmodeie7.htm


----------



## nerythebest (Jan 17, 2009)

Protected Mode in not available with Internet Explorer 7 when installed on Windows XP. Windows Vista is the earliest operating system that supports Protected Mode in IE7.

I have Windows XP


----------



## dvk01 (Dec 14, 2002)

follow advice *here* and post the logs those programs make


----------



## nerythebest (Jan 17, 2009)

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Owner at 23:05:25.53 on Tue 07/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.603 [GMT -5:00]
AV: Live Security Suite *On-access scanning disabled* (Updated) {5A3E1814-1F69-4106-97D1-034BBD69EBAC}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {bdea95cf-f0e6-41e0-bd3d-b00f39a4e939} - ShopperReports
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTB5.4)" -"http://www.addictinggames.tv/driversed.php"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DB38E21A-0133-419d-92AD-ECDFD5244D6D} - {3E2DFD6A-4E20-4d4c-AA8B-E1F9DBEF3C80}
IE: {EB620C54-E229-4942-87CE-E717109FC8C6} - {714E0876-FCEE-49ce-A429-B9AD8AEFCB56}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250697737311
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-19 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-11-16 50704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 fioo64;fioo64;c:\windows\system32\SvchOst.eXE -k fioo64 [2004-8-4 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-13 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-12-1 1527900]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-12-1 544768]
=============== Created Last 30 ================

==================== Find3M ====================
2009-08-21 02:04:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-08-21 02:03:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082020090821\index.dat
2009-08-21 02:04:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 23:06:01.48 ===============

*GMER: There was nothing found. NO logs after the scan. Not sure if I needed to post something for that scan. *


----------



## dvk01 (Dec 14, 2002)

a couple of things

first your system tiem is 1 year in advance & that is probably why you are getting security errors on sites

change system time to correct date, this shows you how http://www.ehow.com/how_5541_change-time-computers.html

then

you have had a rogue/fake antivirus at some time with signs of left overs & no obvious installed or running antivirus

lets get it all cleared up before you install a new Antivirus

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* or *Here*to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## nerythebest (Jan 17, 2009)

So when I changed the time to 2010 it seemed to fix the problem. No more pop-ups and everything looked fine. I still ran the combofix just in case. NO everything is running good. Just a quick question, I was running avira antivir but my license expired like 3 days ago. Could u give some antiviruses that are good.

Thanks for all ur help, couldn't have done it without it.


----------



## dvk01 (Dec 14, 2002)

post the combofix report please because teh dds log is definitely showing some signs of malware that need fixing


----------



## nerythebest (Jan 17, 2009)

Here is the combofix report

ComboFix 10-07-06.05 - Owner 07/07/2010 3:45.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.708 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Live Security Suite *On-access scanning disabled* (Updated) {5A3E1814-1F69-4106-97D1-034BBD69EBAC}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\BarDiscover
c:\documents and settings\Owner\Application Data\chrtmp
c:\program files\BarDiscover
c:\program files\BarDiscover\bardiscover.dll
c:\program files\BarDiscover\uninstall.exe
c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
c:\program files\QuickTime\Plugins\npqtplugin2.dll
c:\program files\QuickTime\Plugins\npqtplugin3.dll
c:\program files\QuickTime\Plugins\npqtplugin4.dll
c:\program files\QuickTime\Plugins\npqtplugin5.dll
c:\program files\QuickTime\Plugins\npqtplugin6.dll
c:\program files\QuickTime\Plugins\npqtplugin7.dll
c:\windows\system32\vbzlib1.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FIOO64
-------\Service_fioo64

((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.
2010-06-16 20:51 . 2010-06-16 20:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-06-14 02:20 . 2010-06-14 02:20 217088 ----a-w- c:\windows\Alcrmv.exe
2010-06-14 02:15 . 2010-06-14 02:15 -------- d-----w- c:\documents and settings\All Users\Uniblue
2010-06-14 01:10 . 2010-06-14 02:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-06-13 21:37 . 2010-06-13 21:37 -------- d-----w- c:\program files\WinPcap
2010-06-13 21:37 . 2010-06-13 21:39 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\OpenCandy
2010-06-13 21:36 . 2010-06-13 21:36 -------- d-----w- c:\program files\DsNET Corp
2010-06-13 06:51 . 2010-06-13 06:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-13 06:46 . 2010-06-13 06:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-10 23:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 05:16 . 2010-06-10 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-06-10 03:56 . 2010-06-10 03:56 -------- d-----w- c:\program files\iPod
2010-06-10 03:56 . 2010-06-10 03:57 -------- d-----w- c:\program files\iTunes
2010-06-09 20:18 . 2010-06-09 20:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-06-09 18:08 . 2010-06-09 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-09 17:47 . 2010-06-10 03:55 -------- d-----w- c:\program files\QuickTime
2010-06-09 17:37 . 2010-06-09 17:38 -------- d-----w- c:\program files\Bonjour
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-05 05:26 . 2010-06-04 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-04 16:38 . 2009-08-20 14:30 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2011-07-02 01:43 . 2009-10-26 02:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-06-30 10:59 . 2010-04-12 22:39 -------- d-----w- c:\program files\particleIllusion_3
2010-06-24 07:28 . 2009-08-19 17:36 190008 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-22 04:37 . 2009-08-21 15:39 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2010-06-14 02:20 . 2009-08-19 15:59 4122368 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-06-14 02:20 . 2009-08-19 15:59 147456 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-06-14 02:20 . 2009-08-19 15:59 10528768 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-06-14 02:20 . 2009-08-19 15:59 577536 ----a-w- c:\windows\SOUNDMAN.EXE
2010-06-13 21:37 . 2010-01-28 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenCandy
2010-06-13 06:46 . 2009-09-01 02:50 -------- d-----w- c:\program files\Google
2010-06-10 05:16 . 2010-01-19 17:08 -------- d-----w- c:\program files\Vstplugins
2010-06-10 03:53 . 2010-01-06 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-10 02:46 . 2010-06-05 10:18 -------- d-----w- c:\program files\Common Files\Real
2010-06-09 21:23 . 2009-08-21 13:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-06-09 18:51 . 2010-04-02 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-09 18:48 . 2009-09-05 20:55 -------- d-----w- c:\program files\DivX
2010-06-09 18:22 . 2009-09-21 02:18 -------- d-----w- c:\program files\CertBlaster
2010-06-09 18:11 . 2010-01-06 05:58 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 00:00 . 2010-03-17 00:38 -------- d-----w- c:\program files\LimeWire
2010-06-06 23:13 . 2010-03-17 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-06-05 10:18 . 2006-09-29 01:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-04 03:59 . 2009-08-19 16:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 03:53 . 2010-06-03 16:53 22575 ----a-w- c:\windows\fs1235.dat
2010-06-04 03:13 . 2010-05-31 22:59 -------- d-----w- c:\documents and settings\Owner\Application Data\ShoppingReport2
2010-06-04 00:49 . 2010-06-04 00:49 19 ----a-w- c:\windows\system32\pb.sys
2010-06-03 21:54 . 2010-05-13 01:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 22:59 . 2010-05-31 22:59 -------- d-----w- c:\program files\ShoppingReport2
2010-05-22 18:48 . 2010-05-22 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-05-22 18:48 . 2009-10-04 19:28 -------- d-----w- c:\program files\TVUPlayer
2010-05-21 19:14 . 2009-10-02 21:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-13 23:22 . 2010-05-13 23:22 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer
2010-05-08 20:31 . 2010-05-08 20:30 -------- d-----w- c:\program files\Veetle
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 13:33 . 2010-01-06 06:01 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 13:33 . 2010-01-06 06:01 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-16 23:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-01 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SoundMan"="SOUNDMAN.EXE" [2010-06-14 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-8-22 344064]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-16 10:18 126976 ----a-r- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-16 10:18 155648 ----a-r- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2010-06-14 02:20 577536 ----a-w- c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AVPath"="\\\\.\\root\\SecurityCenter:AntiVirusProduct.instanceGuid=\"{5A3E1814-1F69-4106-97D1-034BBD69EBAC}\""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/19/2009 12:52 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/16/2009 11:33 AM 50704]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/13/2010 1:46 AM 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [12/1/2009 6:37 PM 1527900]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [12/1/2009 6:37 PM 544768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
fioo64 REG_MULTI_SZ fioo64
.
Contents of the 'Scheduled Tasks' folder
2011-07-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 18:04]
2011-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-13 06:46]
2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-13 06:46]
2010-07-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
2010-07-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-16 23:22]
2011-07-06 c:\windows\Tasks\User_Feed_Synchronization-{1994BF85-7FCF-45C0-A52F-CA6BC7B45EE0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {{DB38E21A-0133-419d-92AD-ECDFD5244D6D} - {3E2DFD6A-4E20-4d4c-AA8B-E1F9DBEF3C80} -
IE: {{EB620C54-E229-4942-87CE-E717109FC8C6} - {714E0876-FCEE-49ce-A429-B9AD8AEFCB56} -
.
- - - - ORPHANS REMOVED - - - -
AddRemove-BarDiscover - c:\program files\BarDiscover\uninstall.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 03:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-861567501-299502267-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(1264)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-07-07 04:14:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-07 09:14
Pre-Run: 11,180,998,656 bytes free
Post-Run: 12,150,013,952 bytes free
- - End Of File - - E19473DFEE029110765112EDB53A0C65


----------



## dvk01 (Dec 14, 2002)

That has had a koobface virus & there are still leftovers

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38

If Avira has expired and you can't or won't renew it then uninstall it & either install the free version of avira or try download & install the  Microsoft Security Essentials Antivirus 

do a full scan, let it fix what ever it finds & post back any log it makes


----------



## nerythebest (Jan 17, 2009)

http://thespykiller.co.uk/index.php/topic,9328.msg37464.html 
here is the link to the other forum with the zip file

I'll post the anti virus scan in a couple of hours


----------



## nerythebest (Jan 17, 2009)

Here is the report

Avira AntiVir Professional
Report file date: Sunday, July 11, 2010 21:08
Scanning for 2332149 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : < mod removed>
Serial number : <mod removed>
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : OWNER-DEB775BE8
Version information:
BUILD.DAT : 10.0.0.918 41550 Bytes 4/19/2010 15:01:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 7/12/2010 01:48:59
AVSCAN.DLL : 10.0.3.0 46440 Bytes 7/12/2010 01:48:54
LUKE.DLL : 10.0.2.3 104296 Bytes 7/12/2010 01:51:30
LUKERES.DLL : 10.0.0.1 12648 Bytes 7/12/2010 01:51:30
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:43:54
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:44:13
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:44:48
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 01:45:00
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 01:45:19
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 01:45:50
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 01:46:16
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 01:46:17
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 01:46:17
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 01:46:18
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 01:46:18
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 01:46:18
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 01:46:18
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 01:46:21
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 01:46:24
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 01:46:27
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 01:46:30
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 01:46:37
VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 01:46:38
VBASE019.VDF : 7.10.8.220 134656 Bytes 6/29/2010 01:46:42
VBASE020.VDF : 7.10.8.252 171520 Bytes 7/4/2010 01:46:45
VBASE021.VDF : 7.10.9.19 131072 Bytes 7/6/2010 01:46:47
VBASE022.VDF : 7.10.9.36 297472 Bytes 7/7/2010 01:46:52
VBASE023.VDF : 7.10.9.37 2048 Bytes 7/7/2010 01:46:52
VBASE024.VDF : 7.10.9.38 2048 Bytes 7/7/2010 01:46:52
VBASE025.VDF : 7.10.9.39 2048 Bytes 7/7/2010 01:46:52
VBASE026.VDF : 7.10.9.40 2048 Bytes 7/7/2010 01:46:52
VBASE027.VDF : 7.10.9.41 2048 Bytes 7/7/2010 01:46:52
VBASE028.VDF : 7.10.9.42 2048 Bytes 7/7/2010 01:46:53
VBASE029.VDF : 7.10.9.43 2048 Bytes 7/7/2010 01:46:53
VBASE030.VDF : 7.10.9.44 2048 Bytes 7/7/2010 01:46:53
VBASE031.VDF : 7.10.9.57 150016 Bytes 7/11/2010 01:46:57
Engineversion : 8.2.4.10 
AEVDF.DLL : 8.1.2.0 106868 Bytes 7/12/2010 01:47:44
AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 7/12/2010 01:47:43
AESCN.DLL : 8.1.6.1 127347 Bytes 7/12/2010 01:47:38
AESBX.DLL : 8.1.3.1 254324 Bytes 7/12/2010 01:47:47
AERDL.DLL : 8.1.4.6 541043 Bytes 7/12/2010 01:47:36
AEPACK.DLL : 8.2.2.5 430453 Bytes 7/12/2010 01:47:32
AEOFFICE.DLL : 8.1.1.6 201081 Bytes 7/12/2010 01:47:28
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 7/12/2010 01:47:26
AEHELP.DLL : 8.1.11.6 242038 Bytes 7/12/2010 01:47:13
AEGEN.DLL : 8.1.3.13 381300 Bytes 7/12/2010 01:47:09
AEEMU.DLL : 8.1.2.0 393588 Bytes 7/12/2010 01:47:06
AECORE.DLL : 8.1.15.3 192886 Bytes 7/12/2010 01:47:04
AEBB.DLL : 8.1.1.0 53618 Bytes 7/12/2010 01:47:02
AVWINLL.DLL : 10.0.0.0 19304 Bytes 7/12/2010 01:38:44
AVPREF.DLL : 10.0.0.0 44904 Bytes 7/12/2010 01:48:53
AVREP.DLL : 10.0.0.8 62209 Bytes 7/12/2010 01:53:28
AVREG.DLL : 10.0.3.0 53096 Bytes 7/12/2010 01:53:28
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 7/12/2010 01:53:29
AVARKT.DLL : 10.0.0.14 227176 Bytes 7/12/2010 01:47:54
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 7/12/2010 01:48:10
SQLITE3.DLL : 3.6.19.0 355688 Bytes 7/12/2010 01:51:53
AVSMTP.DLL : 10.0.0.17 63848 Bytes 7/12/2010 01:49:06
NETNT.DLL : 10.0.0.0 11624 Bytes 7/12/2010 01:51:31
RCIMAGE.DLL : 10.0.0.32 2856808 Bytes 7/12/2010 01:38:59
RCTEXT.DLL : 10.0.53.0 97128 Bytes 7/12/2010 01:39:00
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, 
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Sunday, July 11, 2010 21:08
Starting search for hidden objects.
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Preferences\backgroundscancompletedate
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.
c:\windows\explorer.exe
c:\WINDOWS\explorer.exe
[NOTE] The process is not visible.
The scan of running processes will be started
Scan process 'rsmsink.exe' - '28' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'avcenter.exe' - '67' Module(s) have been scanned
Scan process 'avgnt.exe' - '57' Module(s) have been scanned
Scan process 'avmailc.exe' - '30' Module(s) have been scanned
Scan process 'AVWEBGRD.EXE' - '37' Module(s) have been scanned
Scan process 'sched.exe' - '62' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'explorer.exe' - '108' Module(s) have been scanned
Scan process 'hpqSTE08.exe' - '49' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '66' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'SPUVolumeWatcher.exe' - '22' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '67' Module(s) have been scanned
Scan process 'WMPNSCFG.exe' - '27' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'HPWuSchd2.exe' - '18' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '33' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '33' Module(s) have been scanned
Scan process 'spoolsv.exe' - '55' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '163' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '76' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '1728' files ).

Starting the file scan:
Begin scan in 'C:\'
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\20226971-734a43a5
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/Java.mo.232 exploit
--> AppletX.class
[DETECTION] Contains recognition pattern of the EXP/Java.mo.232 exploit
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\21ababf3-6c514624
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.G Java virus
--> myf/y/AppletX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.G Java virus
--> myf/y/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AE Java virus
--> myf/y/PayloadX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AD Java virus
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\1fbfc2b9-7d4f6485
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.G Java virus
--> myf/y/AppletX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.G Java virus
--> myf/y/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AE Java virus
--> myf/y/PayloadX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AD Java virus
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\20aa933f-56bdb17a
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Selace.U Java virus
--> p1/p2/MyClassLoader.class
[DETECTION] Contains recognition pattern of the JAVA/Selace.U Java virus
C:\Documents and Settings\Owner\Local Settings\Application Data\Apple Computer\QuickTime\downloads\00\06\andtheofand.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\byorat.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\ofonin.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\onofonand.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\theon.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\rdr_1275618607.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\rdr_1275620721.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\rdr_1275621867.exe.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{DABCFCA0-7D1E-47C2-8477-A0BDA20CA62E}\RP268\A0080283.exe
[0] Archive type: NSIS
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
--> [PluginsDir]/Install.dll
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
--> [PluginsDir]/Setup.dll
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
--> [UnknownDir]/LaunchHelp.dll
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\WINDOWS\system32\DRVSTORE\hposcu11_5E3F3558789F610C800F2C9B1069F7EB3D9DEAAF\drivers\scanner\x32\outfor.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
Beginning disinfection:
C:\WINDOWS\system32\DRVSTORE\hposcu11_5E3F3558789F610C800F2C9B1069F7EB3D9DEAAF\drivers\scanner\x32\outfor.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4617393c.qua'.
C:\System Volume Information\_restore{DABCFCA0-7D1E-47C2-8477-A0BDA20CA62E}\RP268\A0080283.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '5e441657.qua'.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\rdr_1275621867.exe.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0cdd4c43.qua'.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\rdr_1275620721.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6aea0381.qua'.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\rdr_1275618607.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2f6e2ebf.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\theon.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
[NOTE] The file was moved to the quarantine directory under the name '50461cda.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\onofonand.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1cc830aa.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\ofonin.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
[NOTE] The file was moved to the quarantine directory under the name '60d070c2.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\byorat.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d8a5fa2.qua'.
C:\Documents and Settings\Owner\Local Settings\Application Data\Apple Computer\QuickTime\downloads\00\06\andtheofand.exe
[DETECTION] Is the TR/InternetAntivirus.A.74 Trojan
[NOTE] The file was moved to the quarantine directory under the name '54d5642e.qua'.
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\20aa933f-56bdb17a
[DETECTION] Contains recognition pattern of the JAVA/Selace.U Java virus
[NOTE] The file was moved to the quarantine directory under the name '388c48d0.qua'.
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\1fbfc2b9-7d4f6485
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AD Java virus
[NOTE] The file was moved to the quarantine directory under the name '493271b3.qua'.
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\21ababf3-6c514624
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AD Java virus
[NOTE] The file was moved to the quarantine directory under the name '472f4183.qua'.
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\20226971-734a43a5
[DETECTION] Contains recognition pattern of the EXP/Java.mo.232 exploit
[NOTE] The file was moved to the quarantine directory under the name '02f138c1.qua'.

End of the scan: Sunday, July 11, 2010 23:42
Used time: 2:16:58 Hour(s)
The scan has been done completely.
9165 Scanned directories
245135 Files were scanned
20 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
14 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
245115 Files not concerned
1472 Archives were scanned
0 Warnings
14 Notes
442398 Objects were scanned with rootkit scan
3 Hidden objects were found


----------



## dvk01 (Dec 14, 2002)

I think that has cleared everything we can see now

how is it ? Are you having any more problems ?


----------



## nerythebest (Jan 17, 2009)

Everything looks fine, my pc is running smoothly. There are no problem so far. Thanks for ur help again and for ur time.


----------



## dvk01 (Dec 14, 2002)

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## nerythebest (Jan 17, 2009)

I'm sorry to bother again but I been getting this messages since yesterday now and then. It pops for no reason or at least I think, It says something like this. 

COCUME-1\owner\LOCALS-1\temp\eula.exe
windows cannot find 'COCUME-1\owner\LOCALS-1\temp\eula.exe'. make sure you typed the name correctly, and then try again. To search for a file, click the startup button, and then click search. 

I will take a picture next time it pops.


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* or *Here*to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------

