Vegas_Bear 1 Report post Posted January 7, 2013 Hello, my PC has been infected and I am looking for some help. The dds files are attached. Any help would be greatly appreciated. Bear attach.txt dds.txt Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted January 8, 2013 Hi Bear, 1. Please, save RougueKiller on the Desktop. http://www.sur-la-toile.com/RogueKiller/ Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard. Start RougueKiller (in Vista and Windows 7 right-click the program and select "Run as administrator"). If it won't start, try several times. If you still are unsuccessful, rename the file to winlogon.exe. Wait until "Prescan" has finished. Click on "Scan" button in upper right corner. Wait until the scan has finished. A report with a name similar to RKreport.txt should have been created on the desktop. Please, post it in your answer. I prefer if you paste the content of the log into your answer instead of attaching it. 2. Please, follow the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix. Read carefully and note the "Disclaimer of warranty"! Paste the content of the log into your answer. If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible. Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 8, 2013 Thank you for the quick reply CeciliaB. The two programs were downloaded and run. Here are the two logs you requested. ComboFix ComboFix 13-01-08.01 - Bear 01/08/2013 9:59.5.2 - x86 Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\1498149814 c:\documents and settings\All Users\Application Data\592624643 c:\documents and settings\Bear\ntuser.tmp c:\documents and settings\Bear\pmyukfhocdquyqud.exe c:\windows\system32\dllcache\wmpvis.dll c:\windows\system32\URTTemp c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 ))))))))))))))))))))))))))))))) . . . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-20 19:11 . 2012-04-06 18:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-20 19:11 . 2011-06-18 20:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25 . 2003-03-31 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2008-04-12 12:44 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992] "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864] "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192] "CTHelper"="CTHELPER.EXE" [2005-08-07 16384] "CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\Bear\Start Menu\Programs\Startup\ restart_vs.lnk - F:\Viewsonic.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-18 113664] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - TRUESIGHT *Deregistered* - EraserUtilDrv11220 *Deregistered* - EraserUtilRebootDrv *Deregistered* - Lavasoft Kernexplorer *Deregistered* - TrueSight . Contents of the 'Scheduled Tasks' folder . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2012-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34] . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-08 10:09 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2013-01-08 10:12:13 ComboFix-quarantined-files.txt 2013-01-08 18:11 ComboFix2.txt 2011-06-15 17:08 . Pre-Run: 161,266,044,928 bytes free Post-Run: 161,267,294,208 bytes free . - - End Of File - - B0110F968443ABE8091EA91BD022EB30 RogueKiller [/size][/size][/size][/size][/size][/size][/size] RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/[/size] [size=3]Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bear [Admin rights] Mode : Scan -- Date : 01/08/2013 09:56:17[/size] [size=3]¤¤¤ Bad processes : 0 ¤¤¤[/size] [size=3]¤¤¤ Registry Entries : 8 ¤¤¤ [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[/size] [size=3]¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\n --> FOUND [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\n --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\U --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\U --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\L --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\L --> FOUND[/size] [size=3]¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x87C0E4A0)[/size] [size=3]¤¤¤ Infection : ZeroAccess ¤¤¤[/size] [size=3]¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts[/size] [size=3]127.0.0.1 localhost[/size] [size=3]¤¤¤ MBR Check: ¤¤¤[/size] [size=3]+++++ PhysicalDrive0: +++++ --- User --- [MBR] 9ed3d55b79aa35a51b1526fe86f2e546 [bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK![/size] [size=3]Finished : << RKreport[1]_S_01082013_02d0956.txt >> RKreport[1]_S_01082013_02d0956.txt ComboFix did not list a rootkit found in the scan. Awaiting further instructions and thanks again for the help. Bear Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted January 8, 2013 ZeroAccess is a severe rootkit infection. It is recommended to reinstall Windows since it is impossible to know exactly what has been changed in the computer when it has been open for others to control. Please, change all passwords used in the computer and on internet either now from a clean computer or from this computer when it has been reinstalled or cleaned. You should also contact your bank etc. if the computer is used for financial transactions. But if you don't want to reinstall Windows, I'll try to help you clean the computer. 1. Do you miss any menu items in the start menu, e.g. My Pictures or Recent Documents, or on the desktop, e.g. My Computer? 2. Turn off all programs including antivirus program and similar programs. Run RogueKiller (in Vista och Windows 7 right-click the program and select "Run as administrator"). Wait until "Prescan" has finished. Select the "Files" tab and select the following entries, but no others: [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\n --> FOUND [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\n --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\U --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\U --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\L --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\L --> FOUND Click the "Delete" button. Restart the computer. A new report with a name similar to RKreport.txt should have been created on the desktop. Please, post it in your answer. I prefer if you paste the content of the log without using any buttons or tags. 3. Run ComboFix in the same way as before and post that log, too. 4. Please, download aswMBR to your desktop. http://public.avast.com/~gmerek/aswMBR.exe Restart the computer and don't start any programs. Double click it to start the aswMBR. Allow it to download the latest definitions, if it asks. Click the Scan button to start the scan. When the scan has finished click the Save log button and save it to your desktop. Post the log. Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 9, 2013 I'd like to try and clean the PC if possible, I don't know how to re-install Windows. I didn't notice anything funny on the start menu, I already had those taken off of the menu. I re ran the RogueKiller and under the files tab, it was empty. Here is the log. RogueKiller RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bear [Admin rights] Mode : Scan -- Date : 01/08/2013 19:47:31 ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] CTHELPER.EXE -- C:\WINDOWS\CTHELPER.EXE -> KILLED [TermProc] ¤¤¤ Registry Entries : 7 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8764A5E8) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] 9ed3d55b79aa35a51b1526fe86f2e546 [bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3]_S_01082013_02d1947.txt >> RKreport[1]_S_01082013_02d0956.txt ; RKreport[2]_S_01082013_02d1937.txt ; RKreport[3]_S_01082013_02d1947.txt ComboFix ComboFix 13-01-08.01 - Bear 01/08/2013 19:52:13.6.2 - x86 Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 ))))))))))))))))))))))))))))))) . . . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-20 19:11 . 2012-04-06 18:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-20 19:11 . 2011-06-18 20:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25 . 2003-03-31 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2008-04-12 12:44 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992] "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864] "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192] "CTHelper"="CTHELPER.EXE" [2005-08-07 16384] "CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\Bear\Start Menu\Programs\Startup\ restart_vs.lnk - F:\Viewsonic.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-18 113664] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"= . R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL *Deregistered* - EraserUtilDrv11220 *Deregistered* - EraserUtilRebootDrv *Deregistered* - TrueSight . Contents of the 'Scheduled Tasks' folder . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2012-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34] . 2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . 2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-08 20:03 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3596) c:\windows\system32\WININET.dll c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\progra~1\WINDOW~2\wmpband.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-01-08 20:05:31 ComboFix-quarantined-files.txt 2013-01-09 04:05 ComboFix2.txt 2013-01-08 18:12 ComboFix3.txt 2011-06-15 17:08 . Pre-Run: 161,293,881,344 bytes free Post-Run: 161,291,800,576 bytes free . - - End Of File - - 056B17C880C69EDEBE128F09A8332B96 aswMBr - smart scan was done aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2013-01-08 20:08:34 ----------------------------- 20:08:34.765 OS Version: Windows 5.1.2600 Service Pack 3 20:08:34.765 Number of processors: 2 586 0x2302 20:08:34.765 ComputerName: LARRY-GAME-BOX UserName: Bear 20:08:36.843 Initialize success 20:12:24.328 AVAST engine defs: 13010801 20:12:57.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 20:12:57.125 Disk 0 Vendor: WDC_WD5000AACS-00ZUB0 01.01B01 Size: 476940MB BusType: 3 20:12:57.140 Disk 0 MBR read successfully 20:12:57.140 Disk 0 MBR scan 20:12:57.218 Disk 0 Windows XP default MBR code 20:12:57.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63 20:12:57.234 Disk 0 scanning sectors +976752000 20:12:57.296 Disk 0 scanning C:\WINDOWS\system32\drivers 20:13:10.343 Service scanning 20:13:30.203 Modules scanning 20:13:37.875 Disk 0 trace - called modules: 20:13:37.890 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 20:13:37.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7d6ab8] 20:13:37.890 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a7ee9e8] 20:13:37.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8a7bad98] 20:13:40.109 AVAST engine scan C:\WINDOWS 20:13:58.593 AVAST engine scan C:\WINDOWS\system32 20:17:57.421 AVAST engine scan C:\WINDOWS\system32\drivers 20:18:33.546 AVAST engine scan C:\Documents and Settings\Bear 20:21:59.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bear\Desktop\MBR.dat" 20:21:59.375 The log file has been saved successfully to "C:\Documents and Settings\Bear\Desktop\aswMBR.txt" Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted January 9, 2013 Please, post RKreport[2]_S_01082013_02d1937.txt that I haven't seen. I didn't notice anything funny on the start menu, I already had those taken off of the menu.Good, sometimes the malicious programs removes the menu items and then we could get them back. 1. Please, run DDS again and post DDS.txt. 2. Run an online scan with Eset http://www.eset.com/onlinescan/ To shorten the scanning time disable your antivirus program while scanning. Un-check "Remove found threats" Check "Scan Archives" Click "Advanced Settings" Check: Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology Click Scan When the scan is finished, copy the result and paste its content in your answer. Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 10, 2013 The Eset scan took 17hrs, when done nothing was found and no log was produced. I ran the 3rd RK scan because the 2nd one didn't contain the files you said to remove, posted below along with the new dds scan. RogueKiller 2nd scan RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bear [Admin rights] Mode : Scan -- Date : 01/08/2013 19:37:14 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x87C0E4A0) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] 9ed3d55b79aa35a51b1526fe86f2e546 [bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_S_01082013_02d1937.txt >> RKreport[1]_S_01082013_02d0956.txt ; RKreport[2]_S_01082013_02d1937.txt DDS.txt DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 Run by Bear at 8:57:18 on 2013-01-09 . ============== Running Processes ================ . C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\DivX\DivX Update\DivXUpdate.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [Logitech Utility] Logi_MwX.Exe mRun: [statusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe StartupFolder: c:\docume~1\bear\startm~1\programs\startup\restar~1.lnk - f:\Viewsonic.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:323 uPolicies-Explorer: NoDriveAutoRun = dword:67108863 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208005737100 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343110122984 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12 TCP: Interfaces\{8DA20054-D070-43F6-8030-E1EC8F25A103} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . . =============== Created Last 30 ================ . 2013-01-08 17:57:11 98816 ----a-w- c:\windows\sed.exe 2013-01-08 17:57:11 256000 ----a-w- c:\windows\PEV.exe 2013-01-08 17:57:11 208896 ----a-w- c:\windows\MBR.exe . ==================== Find3M ==================== . 2012-12-20 19:11:07 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-20 19:11:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 20:29:04 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec . ============= FINISH: 8:59:46.21 =============== Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted January 10, 2013 How is the computer behaving now? What antivirus program etc. do you plan to have? At the moment you don't have a reliable solution. Please, uninstall: Java 6 Update 24 Java 6 Update 26 Those are old version with known vulnerabilities that can be exploited by a web page to easily infect the computer. Use Secunias Software Inspector to check if you have other old versions with vulnerabilities. http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program. Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 10, 2013 (edited) So i guess the Norton is no good. What antivirus program would you suggest? I will check with Secunias Software Inspector for older versions of programs. The two Java updates were removed. Bear EDIT: a friend recommended these, are they any good? SuperAntiSpyware AVG 2013 Edited January 10, 2013 by Vegas_Bear Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted January 10, 2013 Time for final clean-up. 1. Removal of ComboFix and all system restore points since they might be infected. Press Windows-key + R Copy and paste this line: ComboFix /Uninstall Note the space before / Click on OK. 2. Removal of tools Download OTC http://oldtimer.geekstogo.com/OTC.exe Close all programs. Start OTC program. Click the CleanUp! button. Select Yes when asked "Begin cleanup process". If you are asked to reboot, select Yes. If any logs remain on the computer you can remove them. Any tools left? 3. Improve the security in the computer It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program. Norton is good, but you need to have the latest version, Norton Antivirus 2013. In my humble opinion SuperAntiSpyware doesn't find much more than cookies these days and cookies are never dangerous for the computer. This is the forum for Ad-Aware Lavasoft certainly recommends that you have Ad-Aware 10 Antivirus+, Personal or Pro Security. 1 Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 10, 2013 Using the Secunias Software Inspector It says I need to update the below security update. Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2742597) I have tried several times to update this and it fails everytime. I have restarted PC and re downloaded the file and still no go. Any thoughts? Bear Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted January 11, 2013 Try do install it by doing a "clean boot", see http://support.microsoft.com/kb/310353 Method 2, Step 1, 2 and 3, instead of Step 4 run Windows Update, do "Steps to configure..." to restore to normal boot afterwards. Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 13, 2013 The PC seems to running smoothly, but I followed the steps above to try and update the NET Frameworks. It still failed. I followed the other steps to remove combofix and the other tools. Bear Share this post Link to post Share on other sites
Pierre67 208 Report post Posted January 13, 2013 Try from the attached link. http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_update/windows-update-kb-2742597-has-repeatedly-failed-to/936a6420-c6e3-4ee9-a14d-1e1095bf6293 Share this post Link to post Share on other sites
Vegas_Bear 1 Report post Posted January 13, 2013 Thank you Pierre67. That method worked out perfectly. Greatly appreciated, Bear 1 Share this post Link to post Share on other sites
CeciliaB 475 Report post Posted April 24, 2013 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue. Everyone else please begin a New Topic. Thank you ! Share this post Link to post Share on other sites
