0

I think I may have a virus. I cannot open anything from my desktop. I get an error of "This file does not have a program associated with it for performing this action. Create an association in the folder options control panel".

Everything looks good in folder options. I redownloaded MBAM but when I go to open it I get the error that the computer wants to search the web for a program to run .exe files. I cannot get into system restore.

So I cannot run any AV software because the computer does not recognize the .exe file.

Safe mode does not better.

Is there any direction someone can point me into?

THanks
Scott

4
Contributors
40
Replies
41
Views
7 Years
Discussion Span
Last Post by jholland1964
0

We need a lot more information. What operating system are you using? When did this begin? Have you downloaded any new programs lately? Updated any hardware or added new hardware? Does this also happen in Safe Mode? If you don't know, try it and see.

0

Sorry on the lack of info. I usually try to run what is in pinned thread and post all the logs but I cannot run any of them. The system cannot run any .exe files at all.

Safe mode gets the same results.

No new downloaded software. The user said he did get a popup right before everything failed on sat.

System is XP Pro.

I am trying to avoid a system format if I can.

0

The user? This is not your computer? It would help to know what the pop up said and what the user was doing at the time.

0

It is one of my computers. I have 3-4 users that share a few computers. I was not on the computer when it happened.

He was on AOL.com when a window popped up which he thought was results of an automatic scan through Trend Micro (our AV software). That was it. It might have been a driveby of some sort. I just wish I could run somehting to try to figure out what it was.

Thanks for trying to help with this.
Scott

0

Honestly without knowing what that pop up was we don't know. Does sound like a drive by of some kind but would help to know what the pop up said. Did it look like an anti-virus pop up?

0

He said it did look like an antivirus popup. He thought everything fine but it was at that point everything quit working. I do not think it was from our AV software.

0

Do you know if he clicked on it, or did it ask him to click to clean or whatever? Just trying to narrow down what this might be.

0

Tell you what, since you are pretty much "frozen" out of everything it cannot hurt to try this:
It is a tiny little program called rkill which maybe can stop whatever process is stopping You from doing anything. It sure can't hurt things any worse than they are right now.

You very likely will have to do this by downloading these files, putting them on a flash drive and then taking them to the infected computer and putting them on the computer from there.

Here are are three versions of RKill - all identical except that each one uses a different extension in order to avoid being blocked by a trojan:
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif
BE AWARE that some AV apps will give you an alert when you try to download RKILL.PIF. It may warn you that the PIF file was an executable (normally PIF files are not). Just ignore the warning.

I would recommend downloading them all and try each one until one of them loads.
Double-click on the rkill.com in order to automatically attempt to stop any processes associated with whatever this may be. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. Do not reboot your computer at this point, or the programs will start again.
Then try to open MBA-M, update it and then run a Full System scan with it. When it is complete have it Remove Everything found.
If MBA-M tells you it must reboot AFTER completing the scan then go ahead and allow it to reboot. IF it tells you it must reboot BEFORE completing the scan, DON'T.
Reply back here with either the results of these attempts or hopefully the MBA-M log.
Judy

0

THanks. I'll work on this.

He said he did not click anything other than close. He cannot remember if it was the red "x" or actually the words close. I keep explaining to these guys that all you can click is the red "x" otherwise it might start downloading a virus.

I'll report back when I try some of these things.

One more thing, I can get onto the internet with this computer still. I cannot download any .exe files though. Not sure if this changes the approach or not.

Thanks

0

New rule DON'T click anything! There are some of these nasty items now that only need the click to install, even if it is clicking to close. So no clicking.
Download the rkill to a flash drive. Take them to the infected computer and put them on there that way. This requires no internet access so that shouldn't figure into this. Plus, it may be if you can stop the processes using rkill then internet access would be restored. If it isn't just try to run MBA-M without the update. If this doesn't work, let me know.
Judy

0

Good news, I got all three of those files to work. I opened MBAM and updated. It asked to reboot and I did not. MBAM is running right now. It has already found infected items so I will post log when complete.

Thanks for your help.

0

MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/8/2010 1:47:13 PM
mbam-log-2010-03-08 (13-47-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 301374
Time elapsed: 2 hour(s), 20 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\SigmaTEK Shared\Hasp\NetTest.exe (Malware.Packer.T) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\SigmaTEK Shared\Hasp\NetTest.exe (Malware.Packer.T) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.

0

Hey Scott,

I didn't see you were back - should've dropped a PM on me :)

Looks like you and Judy are cruising along.

-- That baddie removed by MBAM is an older "banker" trojan designed to harvest passwords and other sensitive info. We couldn't tell you what or how much data has been compromised, but you should be aware that this was on one of your compys.....

Best :)
PP

0

Hey PP! Your right I should have shot this past you. I guess I got to excited.

So is it safe to assume that I am good to go or should I produce more logs?

Any clue how this might have been downloaded?

THanks
Scott

0

Hey PP! Your right I should have shot this past you. I guess I got to excited.
So is it safe to assume that I am good to go or should I produce more logs?
Any clue how this might have been downloaded?
THanks
Scott

Lordy no Scott, no way are you done. The MBA-M program is way out of date. You need to update it and run another full scan with it. Have it remove all found and reboot. Post back with that new log.

Then you also need to do the DDS by sUBs scan by following the instructions below.
Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste the DDS.txt into your post.
• Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Judy

0

Hey PP! Your right I should have shot this past you. I guess I got to excited.

Any clue how this might have been downloaded?

You are in good hands with Judy - she is probably more up to date than I am on the latest threats.

If I am not mistaken, this is part of an older family of password logging malware. I have no idea how long it could've been on the machine.
If this compy was one that we/you dealt with during the last infection, then I imagine it would've been between now and then.

If this was part of your employee network, well. . . it could've come from anywhere.

I am starting to hit one of my "busy periods," but will be around if you and Judy need a second opinion. At this point, my only suggestion would be to run some sort of ARK tool, but I'm sure Judy has that covered.

Cheers :)
PP

0

Lordy no Scott, no way are you done. The MBA-M program is way out of date. You need to update it and run another full scan with it. Have it remove all found and reboot. Post back with that new log.

Then you also need to do the DDS by sUBs scan by following the instructions below.
Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste the DDS.txt into your post.
• Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Judy

The MBAM was run with a fresh update so that log was with current updates. I will run another in the morning and post log again. I will also post and attach the other logs once run. Thanks for your help Judy!!

PP, this is one of the terminals that had some trouble in the past. Has been fine since.

I really appreciate all the help everyone offers on their own time here. You guys are a savior for sure!

Scott

0

The MBAM was run with a fresh update so that log was with current updates. I will run another in the morning and post log again. I will also post and attach the other logs once run. Thanks for your help Judy!!

PP, this is one of the terminals that had some trouble in the past. Has been fine since.

I really appreciate all the help everyone offers on their own time here. You guys are a savior for sure!

Scott

No Scott it wasn't updated. I shows:

Database version: 3510

That is the install database. The current database from today is 3838. Remember, I told you not to reboot if MBA-M asked you to, so you didn't. That was the correct thing, not reboot but just run the scan. But you need now to update MBA-M and run another Full System scan just like before, have it remove what it finds and then reboot and to the DDS scan. Post back with both logs.
Judy

0

MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3839
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/9/2010 8:23:29 AM
mbam-log-2010-03-09 (08-23-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 315677
Time elapsed: 1 hour(s), 26 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by mikekafka at 8:34:18.61 on Tue 03/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.538 [GMT -6:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {1CA58887-907A-48FF-9D41-A84F2917BF08}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\SolidWorks (3)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\PDF Complete\pdfsaver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MikeKafka\Local Settings\Temporary Internet Files\Content.IE5\GBIL0PR3\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1003\TmIEPlg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe"
mRunOnce: [TSC] "c:\program files\trend micro\client server security agent\tsc.exe" /HD
StartupFolder: c:\docume~1\mikeka~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks2007\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 4.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123157963078
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147958819945
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://symantec.webex.com/client/T26L10NSP49EP23/support/ieatgpc.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1003\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 94.232.248.66 antivaresys.com
Hosts: 94.232.248.66 www.antivaresys.com

0

For some reason I cannot attach. I keep getting "Error on page"

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/4/2005 7:16:43 AM
System Uptime: 3/8/2010 1:50:26 PM (19 hours ago)

Motherboard: Hewlett-Packard | | 09E0h
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | XU1 PROCESSOR | 3192/800mhz

==== Disk Partitions =========================


==== Installed Programs ======================

Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
APC PowerChute Personal Edition
Borland Developer Studio 2006 Runtime Redistributables
Broadcom Management Programs
CADKEY 99
CCleaner
COSMOSFloWorks 2008 SP0
COSMOSMotion 2008 SP0
COSMOSWorks 2008 SP0
Critical Update for Windows Media Player 11 (KB959772)
DWGeditor
eDrawings 2008
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Help and Support
hp LaserJet 5100 Uninstaller
HP Safety and Comfort Guide
Index Dat Spy 2.1.0
Intel(R) Graphics Media Accelerator Driver
InterVideo WinDVD
J2SE Runtime Environment 5.0
Java(TM) 6 Update 17
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2003 Web Components
Microsoft Office Standard Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Express Edition (SIGMANEST)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PDF Complete
PrimoPDF
QuickBooks
QuickBooks Pro 2009
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaNEST 8.1 D40
Software Setup
SolidWorks 2008 SP0
SolidWorks 2008 SP05
SolidWorks Explorer 2008 sp05
SoundMAX
SupportSoft Assisted Service
Tile Print
Trend Micro Client/Server Security Agent
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
View32
Viewer V7
Visual Studio 2005 Tools for Office Second Edition Runtime
VNC Free Edition 4.1.1
WebEx
WebFldrs XP
Windows Desktop Search 3.01
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Xerox Support Centre
XML Paper Specification Shared Components Pack 1.0

==== End Of File ===========================

0

Download HostXpert and run it. When it opens, click on the Restore MS Hosts button and then exit HostsXpert.
You have some out of date programs on there, Java is one. Current version is 6 update 18. You need to download a new copy from HERE, choose offline install and save it to the desk top.
Then close all browsers go to Add/Remove and uninstall the two old versions showing there. Once they are uninstalled then double click that install file on the desk top to install the new version, watch the install, very often it will give you extra toolbars, like yahoo. There is a check box on there with the check mark all ready in it for anything extra, remove those check marks. Proceed with the install and when it is complete go back to the download page and click Verify Now to go to the verification page to be certain the install was successful.

Download and run a Full System Scan with HiJackThis. Post back here with that log.

0

Old Java removed and new Java installed.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:17 AM, on 3/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\SolidWorks (3)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\PDF Complete\pdfsaver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\Client Server Security Agent\tsc.exe" /HD
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks2007\swScheduler\swBOEngine.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123157963078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147958819945
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (sldimdownloadiface Class) - http://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T26L10NSP49EP23/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kafka.local
O17 - HKLM\Software\..\Telephony: DomainName = Kafka.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kafka.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kafka.local
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks (3)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9692 bytes

0

What about HostXpert? You do show two bad sites in the hosts file in the DDS log. Known hijacker.
Are you using Yahoo search as your search engine?

Edited by jholland1964: n/a

0

I ran HostXpert, but wasn't sure what to do. You said to run it then click restore ms hosts then exit. Is there a log generated? I might have to re-run that one if there is.

0

No, there is no log generated. What it does is remove those bad host entries and puts it back to the MS default host. No log generated there. Just wanted to be sure you ran it.

Edited by jholland1964: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.