Solved XP SP3 laptop infected and Windows Firewall not working!!

virtue1boy · 2009/08/27

[Resolved] XP SP3 laptop infected and Windows Firewall not working!!

Hello I've been the victim of drive by malware, trojans e.t.c. and malware disguised as legit programs. I need to have someone do a thorough check of my laptop to see whats causing the eradic behavior. My windows firewall is malfunctioning too. My computer is a 2000 fujitsu, 14.6 GB HD, Windows XP, SP3 with Malwarebytes (Free Version) installed.

PeteC · 2009/08/27

Would have been helpful to post in the correct forum - Malware & Virus Removal Moved.

Please read this as indicated at the head of the forum and post the logs requested in this thread.

virtue1boy · 2009/08/27

"PeteC said: ↑

Would have been helpful to post in the correct forum - Malware & Virus Removal Moved.

Please read this as indicated at the head of the forum and post the logs requested in this thread.
Click to expand...

Here are the two logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 13:41:08.62 on Thu 08/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.65 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
\\?\globalroot\systemroot\system32\msihost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-

AF2E4D98ED0C/wmv9dmo.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208885986764
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208885966835
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
TCP: {AE97C0FA-D1DE-417E-9A2E-0350D915C6C2} = 1.1.2.108,151.164.1.8
TCP: {E1088878-FE6B-4281-8A84-1766D09E92D8} = 151.164.11.201,151.164.1.8
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

_____________________________________

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/16/2006 2:25:30 PM
System Uptime: 8/27/2009 12:57:44 PM (1 hours ago)

Motherboard: FUJITSU | | FJNB156
Processor: Intel(R) Pentium(R) 4 CPU 1.60GHz | Onboard | 1594/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 15 GiB total, 6.483 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 0.344 GiB free.
E: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ROOT\LEGACY_SYMREDRV\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_SYMREDRV\0000
Service:

==== System Restore Points ===================

RP227: 8/18/2009 2:07:36 PM - Software Distribution Service 3.0
RP228: 8/19/2009 2:50:11 PM - System Checkpoint
RP229: 8/21/2009 11:47:39 AM - System Checkpoint
RP230: 8/22/2009 12:15:05 PM - System Checkpoint
RP231: 8/23/2009 1:26:40 PM - System Checkpoint
RP232: 8/24/2009 4:51:00 PM - System Checkpoint

PeteC · 2009/08/27

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.

virtue1boy · 2009/08/27

"PeteC said: ↑

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.
Click to expand...

No problem!!

broni · 2009/08/27

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

virtue1boy · 2009/08/28

I have Malwarebytes and I don't know how to turn it off. It was not on your list of Antivirus software???

Secondly, how do I disable script blocking??

broni · 2009/08/28

I have Malwarebytes and I don't know how to turn it off
Click to expand...

You don't have to. It doesn't run in real time, unless you have paid version.

how do I disable script blocking??
Click to expand...

If you have Spybot, or Windows Defender disable those.

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Disable Windows Defender, as it'll interfere with cleaning process:
- Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
- Click Tools
then...

++ Windows XP:
- Click General Settings
- Scroll down to Real Time Protection Options
- Uncheck Turn on Real Time Protection
- After you uncheck this, click on the Save button
- Close Windows Defender

++ Windows Vista:
- Click Options
- Under Administrator options, clear the Use Windows Defender check box, and then click Save.

Enable Windows Defender, when all cleaning is done.

virtue1boy · 2009/08/28

Well I don't have the paid version of Malwarebytes, Windows Defender or Spybot. So I'm gonna start the Combofix then proceed with the Hijackthis. I'll post them as soon as I'm done!!!

virtue1boy · 2009/08/28

Brioni, I waited like 30 mins and the combofix never produced a log. Then I reclicked the icon and it gave me an error message saying:

ERROR
Some files could not be created.
Please close all applications, reboot windows and restart this application.

So I did that and got the same error message...what now???

broni · 2009/08/28

Delete your Combofix file.
Download fresh one from HERE.
I renamed the file for a reason.

virtue1boy · 2009/08/28

Still nothing? So I searched for the log in my C: drive and there are two folders and a text document. They were created when I installed Combofix.

The folders are called "Qoobox ", "32788R22FWJFW" and the text doc is called "Bug" and I posted it below:

32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg

32788R22FWJFW\PEV.exe UZIP 32788R22FWJFW\License\pv_5_2_2.zip 32788R22FWJFW\

MOVE /Y 32788R22FWJFW\PV.exe 32788R22FWJFW\PV.cfxxe

32788R22FWJFW\PV.cfxxe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe cmd.exe
Killing '*.pif'
Killing 'nircmd.*'
"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "C:\WINDOWS\system32\cmd.execf" /c 32788R22FWJFW\prep.cmd (2600)
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
Killing 'cmd.exe'

PUSHD "C:\32788R22FWJFW"

IF NOT EXIST pev.cfxxe COPY /Y pev.exe pev.cfxxe
1 file(s) copied.

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

IF EXIST OsVer EXIT

VER 1>OsVer

GREP.cfxxe -F "5.2." OsVer

IF 1 == 0 GOTO Not_NT

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SED.cfxxe "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV.EXE -rtf -s+901 .\OriPath00 && (
SED.cfxxe -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"
)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PCDRSDK\WINDSAPI\bin;C:\WINDOWS\system32\gs\gs7.05\bin"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)

CALL :MDCheck
Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md5C589B205BC02BE2E1636B9448FF6D47C .\md5sum.pif || CALL :MDFaiL ChkSum_Fail
.\md5sum.pif

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL

GOTO :EOF

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
cfExt=cfxxe
CFLDR=32788R22FWJFW
Chksum=C589B205BC02BE2E1636B9448FF6D47C
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROGERLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
KMD=CF14938.exe
LOGONSERVER=\\ROGERLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PCDRSDK\WINDSAPI\bin;C:\WINDOWS\system32\gs\gs7.05\bin
PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$
Qrntn=C:\Qoobox\Quarantine
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SESSIONNAME=Console
sfxcmd= "C:\Documents and Settings\Owner\Desktop\2d45fty7er.exe"
sfxname=C:\Documents and Settings\Owner\Desktop\2d45fty7er.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=ROGERLAPTOP
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

=============================================

IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux

GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

CALL LANG.bat
Active code page: 1252

SET SfxCmd 1>SET00

SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Documents and Settings\\Owner\\Desktop\\2d45fty7er.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd

DEL /A/F SET00

ATTRIB +R "C:\Documents and Settings\Owner\Desktop\2d45fty7er.exe"

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

IF NOT EXIST AvBlack00 GREP -Fisf AVBlack resident.txt 1>AvBlack00 && (
SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01
FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (
SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" " " && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" " "
)

_______________________________________________________________________
And I got tired of waiting so I ran the Hijackthis log soon after and here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:31 PM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
\?\globalroot\C:\WINDOWS\system32\msihost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.execf
C:\32788R22FWJFW\grep.cfxxe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://my.yahoo.com/ "); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1208885986764
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1208885966835
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE97C0FA-D1DE-417E-9A2E-0350D915C6C2}: NameServer = 1.1.2.108,151.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1088878-FE6B-4281-8A84-1766D09E92D8}: NameServer = 151.164.11.201,151.164.1.8
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Windows MSI - Unknown owner - \\?\globalrootC:\WINDOWS\system32\msihost.exe (file missing)

--
End of file - 4667 bytes

broni · 2009/08/28

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "

Delete Combofix file, you downloaded from my link.

Restart computer.

Download fresh Combofix file from my link again.

virtue1boy · 2009/08/28

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "

(I followed your instructions and It just reloaded combofix onto my decktop again?)

virtue1boy · 2009/08/28

Delete Combofix file, you downloaded from my link.

Restart computer.

Download fresh Combofix file from my link again.

(Ok manually deleted Combofix, restarted, re downloaded..... "no log "????)
(Is there something else you want me to try cause this ain't workin?)

broni · 2009/08/28

Ok manually deleted Combofix, restarted, re downloaded
Click to expand...

...and ran it?

If so....

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

virtue1boy · 2009/08/31

Here you go....

687996B4d01\32788R22FWJFW\c.bat;C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\56dsr146.default\Cache(2)\687996B4d01;Probably BATCH.Virus;;
687996B4d01;C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\56dsr146.default\Cache(2);Archive contains infected objects;Moved.;
A0051344.exe\data002;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP234\A0051344.exe;BackDoor.Tdss.119;;
A0051344.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP234;Archive contains infected objects;Moved.;
A0051427.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP234;Probably BATCH.Virus;;
A0051497.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP234;Probably BATCH.Virus;;
A0051570.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP234;Probably BATCH.Virus;;
A0051635.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235\A0051635.exe;Probably BATCH.Virus;;
A0051635.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235;Archive contains infected objects;Moved.;
A0051637.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235\A0051637.exe;Probably BATCH.Virus;;
A0051637.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235;Archive contains infected objects;Moved.;
A0051654.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235;Probably BATCH.Virus;;
A0051734.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235;Probably BATCH.Virus;;
A0051800.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235\A0051800.exe;Probably BATCH.Virus;;
A0051800.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235;Archive contains infected objects;Moved.;
A0051812.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP235;Probably BATCH.Virus;;
A0052917.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Probably BATCH.Virus;;
A0052919.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238\A0052919.exe;Probably BATCH.Virus;;
A0052919.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Archive contains infected objects;Moved.;
A0053020.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Probably BATCH.Virus;;
A0053022.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238\A0053022.exe;Probably BATCH.Virus;;
A0053022.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Archive contains infected objects;Moved.;
A0053093.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Probably BATCH.Virus;;
A0053095.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238\A0053095.exe;Probably BATCH.Virus;;
A0053095.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Archive contains infected objects;Moved.;
A0053097.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238\A0053097.exe;Probably BATCH.Virus;;
A0053097.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Archive contains infected objects;Moved.;
A0053102.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238\A0053102.exe;Probably BATCH.Virus;;
A0053102.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Archive contains infected objects;Moved.;
A0053113.exe\data002;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238\A0053113.exe;BackDoor.Tdss.119;;
A0053113.exe;C:\System Volume Information\_restore{93A9D198-300C-4668-937F-83906184B48B}\RP238;Archive contains infected objects;Moved.;

__________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:08 PM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://my.yahoo.com/ "); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1208885986764
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1208885966835
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE97C0FA-D1DE-417E-9A2E-0350D915C6C2}: NameServer = 1.1.2.108,151.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1088878-FE6B-4281-8A84-1766D09E92D8}: NameServer = 151.164.11.201,151.164.1.8
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 4416 bytes

broni · 2009/08/31

You don't have any antivirus program installed, and some Norton's leftovers.

Download and run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Download and install one of these:

- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

- free PC Tools Antivirus: http://www.pctools.com/free-antivirus/
- free PC Tools Firewall Plus: http://www.pctools.com/firewall/

- free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use PC Tools Firewall Plus, or Comodo firewall..
If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

After installation, update AV program, and run full scan.

Post fresh HJT log.

virtue1boy · 2009/09/01

OK, I followed your instructions. Ran the Norton uninstall tool...but I still see elements of it in the new Hijack log?? and installed AV antivirus (fullscan) and Comodo Firewall only. Here is the fresh Hijackthis log you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:22 PM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://my.yahoo.com/ "); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1208885986764
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1208885966835
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE97C0FA-D1DE-417E-9A2E-0350D915C6C2}: NameServer = 1.1.2.108,151.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1088878-FE6B-4281-8A84-1766D09E92D8}: NameServer = 151.164.11.201,151.164.1.8
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 5231 bytes

broni · 2009/09/01

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

===============================================================

Re-run HJT and checkmark unnecessary startups (no actual programs will be removed):
- O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
- O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Click "Fix checked" button.

===============================================================

Go Start>Run (Vista users - "Start search "), type in:
cmd
Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).

Command Prompt window will open.
Type in:
sc stop "Symantec RemoteAssist "
Press Enter.
Wait for the service to be stopped.

Type in:
sc delete "Symantec RemoteAssist "
Press Enter.
Wait for confirmation.

Restart computer.

Post fresh HJT log.

Log in or Sign up

Solved XP SP3 laptop infected and Windows Firewall not working!!

virtue1boy Inactive Thread Starter

PeteC SuperGeek Staff

virtue1boy Inactive Thread Starter

PeteC SuperGeek Staff

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved XP SP3 laptop infected and Windows Firewall not working!!

virtue1boy Inactive Thread Starter

PeteC SuperGeek Staff

virtue1boy Inactive Thread Starter

PeteC SuperGeek Staff

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches