marquisdeloth 0 Report post Posted August 2, 2009 did everything. Let me know if I am missing anything. Thanks ----a-w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe ----a-w- 14,336 2007-12-13 06:04:52 C:\WINDOWS\system32\svchost.exe -c--a-w- 14,336 2007-12-13 06:04:52 C:\WINDOWS\system32\dllcache\svchost.exe -c--a-w- 14,336 2007-12-13 06:04:52 C:\WINDOWS\system32\dllcache\cache\svchost.exe Entries: 4 (4) Directories: 0 Files: 4 Bytes: 57,344 Blocks: 112 Share this post Link to post Share on other sites
blade81 3 Report post Posted August 3, 2009 That went ok Show hidden files ----------------- * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. Upload following files to Virustotal and post back the results or links to the results: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe C:\WINDOWS\system32\svchost.exe Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 3, 2009 analisis/2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5-1249200604 http://www.virustotal.com/analisis/2910ebc...cdd5-1249200604 analisis/16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a-1249231229 http://www.virustotal.com/analisis/1659394...c18a-1249231229 Share this post Link to post Share on other sites
blade81 3 Report post Posted August 3, 2009 Hi again, Open notepad and copy/paste the text in the quotebox below into it: FCopy:: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe | C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe | C:\WINDOWS\system32\dllcache\svchost.exe Save this as CFScript A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use. Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe Then post the resultant log & fresh dds.txt contents. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 4, 2009 Hi, Here you go ! ComboFix 09-07-29.03 - Mandrew 08/03/2009 21:39.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768.568 [GMT -5:00] Running from: c:\documents and settings\Mandrew\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mandrew\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe --> c:\windows\system32\svchost.exe c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe --> c:\windows\system32\dllcache\svchost.exe . ((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 ))))))))))))))))))))))))))))))) . 2009-07-29 02:17 . 2009-07-29 02:17 -------- d--h--w- c:\windows\$hf_mig$ 2009-07-29 00:43 . 2009-07-29 00:43 -------- d-----w- c:\program files\Trend Micro 2009-07-28 01:33 . 2009-07-28 01:33 286208 ----a-w- C:\somethingElse.com.exe 2009-07-26 16:08 . 2009-07-29 07:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-07-26 16:08 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe 2009-07-26 16:06 . 2009-07-26 16:06 -------- d-----w- c:\program files\Lavasoft 2009-07-26 16:06 . 2009-07-26 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-07-12 18:21 . 2009-07-12 18:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-07-11 18:32 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll 2009-07-11 18:32 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-02 20:35 . 2006-05-23 18:51 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-01 17:03 . 2009-03-22 19:59 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-08-01 17:03 . 2006-03-23 04:22 -------- d-----w- c:\program files\Java 2009-07-29 01:14 . 2006-02-15 18:06 64384 ----a-w- c:\documents and settings\Mandrew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-22 13:05 . 2006-05-16 19:46 -------- d-----w- c:\docume~1\Mandrew\APPLIC~1\Lavasoft 2009-06-30 18:31 . 2009-06-30 18:31 -------- d-----w- c:\docume~1\Mandrew\APPLIC~1\Sibelius Software 2009-06-30 18:27 . 2009-06-30 18:26 -------- d-----w- c:\program files\Musicnotes 2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll 2009-05-27 00:50 . 2009-05-31 15:16 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe 2009-05-26 12:01 . 2009-01-31 22:31 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys 2009-05-26 12:01 . 2009-01-31 22:31 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys 2009-05-26 12:01 . 2009-01-31 22:31 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys 2009-05-26 12:01 . 2009-01-31 22:31 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys 2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll 2009-02-23 03:14 . 2009-02-23 03:14 3861671 ----a-w- c:\program files\FileZilla_3.2.2.1_win32-setup.exe 2006-10-12 00:58 . 2006-10-12 00:50 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe 2006-10-12 00:50 . 2006-10-12 00:46 7050552 ----a-w- c:\program files\psa30se_en_us.exe 2006-10-12 00:46 . 2006-10-12 00:46 762512 ----a-w- c:\program files\ytb612_efgsip.exe 2009-07-22 11:47 . 2009-03-18 13:12 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll . ------- Sigcheck ------- [-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe [-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe [-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe [7] 2007-12-13 06:04 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\dllcache\cache\svchost.exe . ((((((((((((((((((((((((((((( [email protected]_04.14.51 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-03 23:30 . 2009-08-03 23:30 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat - 2009-03-22 19:59 . 2009-03-22 19:55 148888 c:\windows\system32\javaws.exe + 2009-08-01 17:04 . 2009-08-01 17:03 148888 c:\windows\system32\javaws.exe + 2009-08-01 17:04 . 2009-08-01 17:03 144792 c:\windows\system32\javaw.exe - 2009-03-22 19:59 . 2009-03-22 19:55 144792 c:\windows\system32\javaw.exe + 2009-08-01 17:04 . 2009-08-01 17:03 144792 c:\windows\system32\java.exe - 2009-03-22 19:59 . 2009-03-22 19:55 144792 c:\windows\system32\java.exe + 2009-08-01 17:03 . 2009-08-01 17:03 1563648 c:\windows\Installer\52d1e.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-24 655360] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-07-15 58992] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-16 100056] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-02 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-23 282624] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-01 148888] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568] NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-1-17 884838] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Native Instruments\\Absynth 3 Demo\\Absynth 3 Demo.exe"= R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336] R3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2/15/2006 6:36 AM 70528] R3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [9/17/2007 10:17 AM 215708] R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [9/17/2007 10:17 AM 84092] R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [1/24/2009 1:56 PM 84352] R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [1/24/2009 1:56 PM 14976] R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [1/24/2009 1:56 PM 110848] R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [1/24/2009 1:56 PM 90880] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/17/2009 6:34 PM 17149] S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [1/31/2009 5:31 PM 185584] S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [9/17/2007 10:17 AM 17263] S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [1/17/2009 6:34 PM 362944] . Contents of the 'Scheduled Tasks' folder 2009-05-31 c:\windows\Tasks\CAAntiSpywareScan_Daily as Mandrew at 2 31 PM.job - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2009-01-31 22:53] 2009-08-03 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 03:18] . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm LSP: c:\windows\system32\VetRedir.dll FF - ProfilePath - c:\docume~1\Mandrew\APPLIC~1\Mozilla\Firefox\Profiles\5lmuyfc6.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-03 21:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1244) c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll - - - - - - - > 'lsass.exe'(1444) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(624) c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-08-04 21:52 ComboFix-quarantined-files.txt 2009-08-04 02:51 ComboFix2.txt 2009-08-01 14:39 ComboFix3.txt 2009-08-01 04:18 Pre-Run: 30,396,190,720 bytes free Post-Run: 30,432,374,784 bytes free 166 --- E O F --- 2009-07-29 08:05 DDS (Ver_09-06-26.01) - NTFSx86 Run by Mandrew at 21:52:54.44 on Mon 08/03/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768.508 [GMT -5:00] AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\WPN111\wpn111.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Mandrew\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe" mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe" mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\windows\system32\VetRedir.dll DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://www.teammbi.com/Remote/msrdp.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\mandrew\applic~1\mozilla\firefox\profiles\5lmuyfc6.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true ============= SERVICES / DRIVERS =============== R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-31 26352] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-31 21104] R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-31 880560] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-31 21488] R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-31 161008] R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-31 144696] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 198256] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181872] R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-31 255216] R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392] R3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2006-2-15 70528] R3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2007-9-17 215708] R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2007-9-17 84092] R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [2009-1-24 84352] R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [2009-1-24 14976] R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [2009-1-24 110848] R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [2009-1-24 90880] R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-31 108368] S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-30 66688] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79472] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-1-17 17149] S3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-1-31 185584] S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2007-9-17 17263] S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-1-17 362944] =============== Created Last 30 ================ 2009-08-03 21:37 219,648 a------- c:\windows\PEV.exe 2009-08-03 21:37 161,792 a------- c:\windows\SWREG.exe 2009-08-03 21:37 98,816 a------- c:\windows\sed.exe 2009-08-01 21:52 54,156 a---h--- c:\windows\QTFont.qfn 2009-08-01 21:52 1,409 a------- c:\windows\QTFont.for 2009-08-01 12:04 73,728 a------- c:\windows\system32\javacpl.cpl 2009-07-31 23:15 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-07-29 19:42 <DIR> a-dshr-- C:\cmdcons 2009-07-28 21:17 <DIR> --d-h--- c:\windows\$hf_mig$ 2009-07-28 19:43 <DIR> --d----- c:\program files\Trend Micro 2009-07-27 20:33 286,208 a------- C:\somethingElse.com.exe 2009-07-26 11:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-07-26 11:06 <DIR> --d----- c:\program files\Lavasoft 2009-07-21 20:25 3,255 a------- c:\windows\system32\wbem\Outlook_01ca0a6b3e9cc470.mof 2009-07-19 10:04 3,255 a------- c:\windows\system32\wbem\Outlook_01ca088235b33660.mof 2009-07-12 13:21 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-07-11 13:32 208,744 a------- c:\windows\system32\muweb.dll 2009-07-11 13:32 27,496 a------- c:\windows\system32\mucltui.dll.mui 2009-07-11 13:32 268,648 a------- c:\windows\system32\mucltui.dll ==================== Find3M ==================== 2009-08-01 12:03 410,984 a------- c:\windows\system32\deploytk.dll 2009-06-26 11:18 659,456 a------- c:\windows\system32\wininet.dll 2009-06-26 11:18 81,920 a------- c:\windows\system32\ieencode.dll 2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll 2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll 2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll 2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll 2009-02-22 22:14 3,861,671 a------- c:\program files\FileZilla_3.2.2.1_win32-setup.exe 2006-10-11 19:58 21,290,704 a------- c:\program files\AdbeRdr708_en_US.exe 2006-10-11 19:50 7,050,552 a------- c:\program files\psa30se_en_us.exe 2006-10-11 19:46 762,512 a------- c:\program files\ytb612_efgsip.exe ============= FINISH: 21:53:33.73 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-06-26.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 2/15/2006 2:00:20 PM System Uptime: 8/3/2009 6:30:03 PM (3 hours ago) Motherboard: Intel Corporation | | SE440BX-3 Processor: Intel Pentium III processor | J4J1 | 848/100mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 49 GiB total, 28.363 GiB free. D: is FIXED (NTFS) - 100 GiB total, 64.415 GiB free. E: is FIXED (FAT32) - 37 GiB total, 5.419 GiB free. F: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318} Description: PS/2 Compatible Mouse Device ID: ACPI\PNP0F13\5&2920B891&0 Manufacturer: Microsoft Name: PS/2 Compatible Mouse PNP Device ID: ACPI\PNP0F13\5&2920B891&0 Service: i8042prt ==== System Restore Points =================== RP635: 7/27/2009 10:16:20 PM - System Checkpoint RP636: 7/29/2009 12:28:10 AM - System Checkpoint RP637: 7/29/2009 3:01:00 AM - Software Distribution Service 3.0 RP638: 7/29/2009 7:34:21 PM - ComboFix created restore point RP639: 8/1/2009 9:19:47 AM - ComboFix created restore point RP640: 8/1/2009 11:38:05 AM - Removed Adobe Reader 7.0.8 RP641: 8/1/2009 11:51:19 AM - Removed Java 6 Update 12 RP642: 8/1/2009 12:03:33 PM - Installed Java 6 Update 14 RP643: 8/2/2009 4:58:39 PM - System Checkpoint ==== Installed Programs ====================== 4200 4200_Help 4200Tour 4200Trb 4Front E-Piano Module 1.0 VSTi 4Front Piano Module 1.0 VSTi 4Front Rhode 1.0 VSTi Ad-Aware Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe® Photoshop® Album Starter Edition 3.0 AiO_Scan AIOMinimal AiOSoftware CA Anti-Spyware CA Anti-Virus CA Internet Security Suite CA Pest Patrol Realtime Protection ccCommon Copy CreativeProjects Critical Update for Windows Media Player 11 (KB959772) CSi STARTER-Reason daHornet Version 1.34 Director DocProc Dolet Light for Finale Easy CD Creator 5 Basic Fax FileZilla Client 3.2.2.1 Finale 2000 Finale 2003 HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB952287) HP Image Zone 3.5 HP PSC & OfficeJet 3.5 HP Software Update HPSystemDiagnostics InstantShare Intel® 536EP Modem Java 6 Update 14 Lernout & Hauspie TruVoice American English TTS Engine Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office Professional Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft WSE 2.0 SP3 Runtime Mozilla Firefox (3.0.12) MSN Native Instruments Absynth 3 Demo NETGEAR RangeMax Wireless USB 2.0 Adapter WPN111 Norton Internet Security Norton WMI Update Overland PhotoGallery PrintScreen QFolder QuickLink Mobile QuickProjects QuickTime Readme RealPlayer Scan Security Update for CAPICOM (KB931906) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928090) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB929969) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931768) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933566) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937143) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB939653) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB942615) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB944338-v2) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB963027) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB973346) Setup Sibelius Scorch Plugin 5.2.5.48 SkinsHP1 SkinsHP2 Sonic Foundry Sound Forge 6.0b SPBBC Steinberg Cubase SX Symantec Network Drivers Update Symantec Script Blocking Installer SymNet TrayApp Unload Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB942840) Update for Windows XP (KB946627) Update for Windows XP (KB955839) Update for Windows XP (KB967715) US-122 UTStarcom USB Modem Software Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 Wave Arts FinalPlug WebFldrs XP WebReg Winamp (remove only) Windows Genuine Advantage Notifications (KB905474) Windows Media Format 11 runtime Windows Media Player 11 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Yahoo! extras Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Messenger Yahoo! Software Update Yahoo! Toolbar ==== Event Viewer Messages From Past Week ======== 8/3/2009 9:43:29 PM, information: Windows File Protection [64005] - The protected system file svchost.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Mandrew. The file version of the bad file is 5.1.2600.5512. 8/2/2009 8:51:36 AM, error: SideBySide [59] - Generate Activation Context failed for C:\unzipped\[4]-Submit_2009-08-01_09.20.43\desot.exe. Reference error message: The operation completed successfully. . 8/1/2009 9:29:19 AM, error: Service Control Manager [7034] - The AntipyPro_12 service terminated unexpectedly. It has done this 1 time(s). 7/31/2009 7:23:45 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found. 7/31/2009 11:04:33 PM, error: Service Control Manager [7016] - The AntipyPro_12 service has reported an invalid current state 0. 7/29/2009 7:45:15 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect. 7/29/2009 2:16:32 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. . 7/29/2009 2:16:32 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\desot.exe. Reference error message: The operation completed successfully. . 7/29/2009 2:16:32 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system. 7/29/2009 1:43:20 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000001, parameter2 00000002, parameter3 00000001, parameter4 804dc11d. 7/27/2009 8:40:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdudf_xp Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss SYMTDI Tcpip Tcpip6 VET-FILT VET-REC VETEFILE VETMONNT 7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 7/27/2009 8:39:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 7/27/2009 8:39:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 7/27/2009 8:39:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 7/27/2009 6:54:57 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D. 7/27/2009 6:54:57 AM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort1. ==== End Of File =========================== Share this post Link to post Share on other sites
blade81 3 Report post Posted August 4, 2009 That looks pretty good. How's the system running? Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 5, 2009 It seems to run pretty well. Is it fixed ? Just kidding. Is there any any maintenance I can do ? I will stay away from bit torrent. Any other advice ? If I run in to any other problems shouldI try some of the stuff you showed me ? Questions, questions ... Thanks so much for helping me. Should I send you a check ? Share this post Link to post Share on other sites
blade81 3 Report post Posted August 5, 2009 Hi, Following post should cover most those questions you asked there Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions. THESE STEPS ARE VERY IMPORTANT Let's reset system restore Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points. 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK. NOTE: only do this ONCE,NOT on a regular basis Now lets uninstall ComboFix: Click START then RUN Now copy-paste Combofix /u in the runbox and click OK Next we remove all used tools. Please download OTC and save it to desktop. Double-click OTC.exe. Click the CleanUp! button. Select Yes when the Begin cleanup Process? prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it by yourself. UPDATING WINDOWS AND INTERNET EXPLORER IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates. If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update. Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item. hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!! Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok Just a final reminder for you. I am trying to stress these two points. UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks. Make sure all of your security programs are up to date. Run the spybot and adaware regularly. (Once or twice a week minimum.) Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Once again, please post and tell me how things are going with your system... problems etc. Have a great day, Blade Should I send you a check ? You may donate to some charity of your choice if you wish Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 6, 2009 When I try to turn off my system restore I go to the desk top - right click on my computer - properties and the only tabs I see are General and Shortcut. There is no System Restore tab. Share this post Link to post Share on other sites
blade81 3 Report post Posted August 6, 2009 Hi, Go to C:\WINDOWS\inf folder and see if sr.inf file exists. If it does, right click it and select install. Then see if the tab is still missing. Let me know how that goes. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 8, 2009 I went to the windows-inf-and found an sr file (type is a setup information file 5kb) - did an install and window popped up asking for a file-"the file sr.sys on windows xp prof service pack 2 cd is needed" then it asked me to browse. I put in the cd and found some file and it installed and rebooted, but when I went to my computer and right clicked -no tab. I guess that sr file wasnt an inf file ? hence the sr.sys message ? I dont know. Share this post Link to post Share on other sites
blade81 3 Report post Posted August 8, 2009 Hi, Sounds like you did it correctly. Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. regedit /a c:\regResults.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" del %0 Double-click on fixes.bat file to execute it. c:\regResults.txt file should be generated. Please attach it to your post. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 8, 2009 I ran this 2 times. A DOS window popped up and dissapeared. I looked under my c drive and did not find c:\regResults.txt. I looked on my desktop and other drives to, but no c:\regResults.txt Share this post Link to post Share on other sites
blade81 3 Report post Posted August 8, 2009 Hi, Click start->run->write regedit and click ok. Registry editor will open. Click File->Export->select Selected branch as export range and copy paste HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore in the textbox. In file name textbox write "c:\registryexport.txt" and set save as type to All Files. See if c:\registryexport.txt file exists after that operation. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 8, 2009 I think this is it ? Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=dword:00000000 "CreateFirstRunRp"=dword:00000001 "DSMin"=dword:000000c8 "DSMax"=dword:00000190 "RPSessionInterval"=dword:00000000 "RPGlobalInterval"=dword:00015180 "RPLifeInterval"=dword:0076a700 "CompressionBurst"=dword:0000003c "TimerInterval"=dword:00000078 "DiskPercent"=dword:0000000c "ThawInterval"=dword:00000384 "RestoreDiskSpaceError"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg] "DiskPercent"=dword:0000000c "MachineGuid"="{0F4BF90F-72A0-49A9-A811-690DF2979976}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks] @="" Share this post Link to post Share on other sites
blade81 3 Report post Posted August 9, 2009 That looks ok. Now, please export this branch in the same way (you may overwrite previous c:\registryexport.txt file): HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 9, 2009 her you go Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=dword:00000000 "CreateFirstRunRp"=dword:00000001 "DSMin"=dword:000000c8 "DSMax"=dword:00000190 "RPSessionInterval"=dword:00000000 "RPGlobalInterval"=dword:00015180 "RPLifeInterval"=dword:0076a700 "CompressionBurst"=dword:0000003c "TimerInterval"=dword:00000078 "DiskPercent"=dword:0000000c "ThawInterval"=dword:00000384 "RestoreDiskSpaceError"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg] "DiskPercent"=dword:0000000c "MachineGuid"="{0F4BF90F-72A0-49A9-A811-690DF2979976}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks] @="" Share this post Link to post Share on other sites
blade81 3 Report post Posted August 9, 2009 Hi, You used same branch as on the first case. For this second one you have to export HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 9, 2009 I put this HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore in the selected branch and saved as ALL FILES as c:\registryexport.txt file and got this message: "The selected branch does not exist. Make sure that the correct path is given" Share this post Link to post Share on other sites
blade81 3 Report post Posted August 10, 2009 Hi, See if you're able to access system restore this way but don't do anything else: Click Start->All Programs->Accessories->System Tools->System Restore Let me know if system restore window opens without errors. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 10, 2009 yes it does Share this post Link to post Share on other sites
blade81 3 Report post Posted August 10, 2009 Hi, 1. Run the Group Policy Editor (click start->run->write gpedit.msc and click ok) 2. Go to Computer Configuration / Administrative Templates / System / System Restore 3. Set Turn off System Restore and Turn off Configuration to Disable 4. Right click on My Computer 5. Select Manage 6. Go to Services and Applications / Services 7. Scroll down to System Restore Service 8. Set it for Automatic 9. Click on the Start button to start the service 10. Close down this window 11. Go back to the Group Policy Editor and configure both to Not configured. See if system restore tab appears in properties window now. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 11, 2009 I got to step 8 and noticed it was already set for automatic. I hit restart and followed the steps as stated. I went to my cmputer and there was no system restore. Am I doing something wrong ? Share this post Link to post Share on other sites
blade81 3 Report post Posted August 11, 2009 Did you follow those other steps after step 8 too? Please attach a screenshot of the properties window. Share this post Link to post Share on other sites
marquisdeloth 0 Report post Posted August 11, 2009 Yes, I went through steps 1 thru 11 2x, just to be sure. I tried to attach a screen shot of my computer properties and it is telling me "you are not permitted to upload this type of file. I did a screen shot and pasted it into a word doc. I tried to paste it into the body of where I am typing this text, but it wont let me. My coputer properties only has 2 tabs - shortcut and general. sorry Share this post Link to post Share on other sites