Solve : Request for malware removal assistance? – InterviewSolution

1.	Solve : Request for malware removal assistance?
Answer» OK, here is the combofix log! Thank you ComboFix 10-01-14.02 - Mary Kate 01/19/2010 16:04:57.5.1 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.958.448 [GMT -5:00] Running from: c:\users\Mary Kate\Downloads\ComboFix.exe Command switches used :: c:\users\Mary Kate\Desktop\CFScript.txt SP: Lavasoft Ad-Watch Live! disabled (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: SUPERAntiSpyware disabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 ))))))))))))))))))))))))))))))) . 2010-01-19 21:18 . 2010-01-19 21:27--------d-----w-c:\users\Mary Kate\AppData\Local\temp 2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Sega\AppData\Local\temp 2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Public\AppData\Local\temp 2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Default\AppData\Local\temp 2010-01-19 21:18 . 2010-01-19 21:18--------d-----w-c:\users\Guest\AppData\Local\temp 2010-01-19 21:02 . 2010-01-19 21:02--------d-----w-C:\32788R22FWJFW 2010-01-19 02:49 . 2010-01-19 02:49--------d-----w-c:\PROGRAM files\ESET 2010-01-13 03:53 . 2010-01-13 03:53--------d-----w-c:\windows\system32\config\systemprofile\{1d30e7a1-2a41-43cc-b339-46892ab7ddfd} 2010-01-12 23:50 . 2009-10-19 14:42156672----a-w-c:\windows\system32\t2embed.dll 2010-01-12 23:50 . 2009-10-19 14:3924064----a-w-c:\windows\system32\lpk.dll 2010-01-12 23:50 . 2009-10-19 14:3772704----a-w-c:\windows\system32\fontsub.dll 2010-01-12 23:50 . 2009-10-19 14:3710240----a-w-c:\windows\system32\dciman32.dll 2010-01-12 23:50 . 2009-10-19 14:3634304----a-w-c:\windows\system32\atmlib.dll 2010-01-12 23:50 . 2009-10-19 11:45289792----a-w-c:\windows\system32\atmfd.dll 2010-01-12 22:59 . 2010-01-12 22:59--------d-----w-c:\users\Mary Kate\AppData\Local\{6BAF7A6F-C530-45D9-9789-ECFAF9BFDDF2} 2010-01-11 18:09 . 2010-01-11 18:10--------d-----w-c:\users\Mary Kate\AppData\Local\{A8FFFAA9-FE10-424E-A3EB-69CCF85B4075} 2010-01-10 23:05 . 2007-08-29 03:06542720----a-w-c:\windows\system32\sysmain.dll 2010-01-10 23:04 . 2007-09-11 02:20356864----a-w-c:\windows\system32\MediaMetadataHandler.dll 2010-01-10 23:04 . 2009-08-31 15:16428032----a-w-c:\windows\system32\EncDec.dll 2010-01-10 23:04 . 2009-08-31 15:21292352----a-w-c:\windows\system32\psisdecd.dll 2010-01-10 23:04 . 2009-08-31 15:171244672----a-w-c:\windows\system32\mcmde.dll 2010-01-10 23:04 . 2007-10-26 11:14211000----a-w-c:\windows\system32\drivers\volsnap.sys 2010-01-10 23:04 . 2008-01-19 05:08109624----a-w-c:\windows\system32\drivers\ataport.sys 2010-01-10 23:04 . 2008-01-19 05:0745112----a-w-c:\windows\system32\drivers\pciidex.sys 2010-01-10 23:04 . 2008-01-19 05:0621560----a-w-c:\windows\system32\drivers\atapi.sys 2010-01-10 23:04 . 2008-01-19 05:0615928----a-w-c:\windows\system32\drivers\pciide.sys 2010-01-10 23:04 . 2008-01-19 03:06154624----a-w-c:\windows\system32\drivers\nwifi.sys 2010-01-10 23:04 . 2008-10-21 05:161645568----a-w-c:\windows\system32\connect.dll 2010-01-10 23:02 . 2009-08-29 03:411686528----a-w-c:\windows\system32\gameux.dll 2010-01-10 23:02 . 2009-08-29 03:4028672----a-w-c:\windows\system32\Apphlpdm.dll 2010-01-10 23:02 . 2009-08-28 23:314247552----a-w-c:\windows\system32\GameUXLegacyGDFs.dll 2010-01-10 22:58 . 2007-01-26 03:00974336----a-w-c:\windows\system32\crypt32.dll 2010-01-10 22:56 . 2009-09-10 15:29311296----a-w-c:\windows\system32\unregmp2.exe 2010-01-10 22:56 . 2009-09-10 17:397680----a-w-c:\windows\system32\spwmp.dll 2010-01-10 22:55 . 2009-09-10 17:404096----a-w-c:\windows\system32\dxmasf.dll 2010-01-10 22:55 . 2009-09-10 15:298147968----a-w-c:\windows\system32\wmploc.DLL 2010-01-10 22:01 . 2010-01-10 22:01--------d-----w-c:\users\Mary Kate\AppData\Local\{C6E8522D-C5C1-4F4B-89A5-77A2C5760C1F} 2010-01-10 18:58 . 2010-01-10 18:58--------d-----w-c:\users\Mary Kate\AppData\Local\{9E06EAA5-533A-4F87-B916-9597182D73BE} 2010-01-10 12:49 . 2010-01-10 12:49--------d-----w-c:\users\Mary Kate\AppData\Local\{2FADB93F-5DB7-4BD9-A96D-E633F27F0DDF} 2010-01-10 06:36 . 2010-01-10 06:36--------d-----w-c:\users\Mary Kate\AppData\Local\{0B3977F2-E717-4456-BD6B-947A79D1F1E8} 2010-01-10 03:34 . 2010-01-10 03:34--------d-----w-c:\programdata\SUPERAntiSpyware.com 2010-01-10 03:33 . 2010-01-10 03:34--------d-----w-c:\program files\SUPERAntiSpyware 2010-01-10 03:33 . 2010-01-10 03:33--------d-----w-c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com 2010-01-10 03:31 . 2010-01-10 03:31--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2010-01-09 23:53 . 2010-01-09 23:53--------d-----w-c:\users\Mary Kate\AppData\Local\{478113E6-71FE-4C2A-AEC3-0AD2E4930CD7} 2010-01-09 21:09 . 2010-01-09 21:09--------d-----w-c:\users\Mary Kate\AppData\Local\{9B2F4782-907F-4245-B4EA-2B37CE798041} 2010-01-09 17:38 . 2010-01-09 17:38--------d-----w-c:\users\Mary Kate\AppData\Local\{F5FF984D-C90C-488B-B3E8-5FB4C604CA40} 2010-01-09 17:13 . 2010-01-09 17:13--------d-----w-c:\users\Mary Kate\AppData\Roaming\Malwarebytes 2010-01-09 17:13 . 2010-01-07 21:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-09 17:12 . 2010-01-09 17:12--------d-----w-c:\programdata\Malwarebytes 2010-01-09 17:12 . 2010-01-09 17:13--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-01-09 17:12 . 2010-01-07 21:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-01-09 16:20 . 2010-01-09 16:20--------d-----w-c:\users\Mary Kate\AppData\Local\{11C626D8-64DD-4B50-BE50-F6A91DD40781} 2010-01-09 16:08 . 2010-01-09 16:07411368----a-w-c:\windows\system32\deploytk.dll 2010-01-09 14:39 . 2010-01-09 14:39--------d-----w-c:\users\Mary Kate\AppData\Local\{223AC774-2053-4D95-A2BA-19D17C2633F8} 2010-01-08 15:30 . 2010-01-08 15:30--------d-----w-c:\users\Mary Kate\AppData\Local\{63F192F2-6498-43DF-B8A6-A4F8D2DE063C} 2010-01-07 22:29 . 2010-01-07 22:29--------d-----w-c:\users\Mary Kate\AppData\Local\{2188F2C8-523D-42AB-BA98-DA8275A137E1} 2010-01-07 16:30 . 2010-01-07 22:21--------d-----w-c:\program files\Windows Live Safety Center 2010-01-07 01:39 . 2010-01-07 01:39--------d-----w-c:\users\Mary Kate\AppData\Local\{8B0F77DB-0DB8-4628-9DF8-C434ACC6443F} 2010-01-06 17:43 . 2010-01-06 18:09--------d-----w-c:\users\Mary Kate\AppData\Local\ElevatedDiagnostics 2010-01-06 17:38 . 2010-01-06 17:38--------d-----w-c:\program files\Microsoft ATS 2010-01-04 04:49 . 2010-01-04 04:49--------d-----w-c:\users\Mary Kate\AppData\Local\{17F531F5-BD41-438B-805F-EAD27BE2352D} 2010-01-03 04:16 . 2010-01-12 22:590----a-w-c:\users\Mary Kate\AppData\Local\Tkuki.bin 2010-01-03 04:16 . 2010-01-11 23:01120----a-w-c:\users\Mary Kate\AppData\Local\Amupova.dat 2010-01-03 01:33 . 2010-01-03 01:33--------d-----w-c:\program files\Belkin 2010-01-03 01:32 . 2010-01-09 17:37--------d-----w-c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD} . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-19 21:00 . 2009-12-03 02:50--------d-----w-c:\program files\Trend Micro 2010-01-19 20:03 . 2007-05-28 01:1225515----a-w-c:\users\Mary Kate\AppData\Roaming\nvModes.dat 2010-01-14 16:12 . 2009-10-02 20:48181120------w-c:\windows\system32\MpSigStub.exe 2010-01-13 15:44 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail 2010-01-11 17:59 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Calendar 2010-01-11 17:58 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Defender 2010-01-10 02:46 . 2007-06-04 21:59--------d-----w-c:\programdata\Viewpoint 2010-01-09 16:07 . 2007-01-19 01:10--------d-----w-c:\program files\Java 2010-01-07 22:31 . 2007-05-27 15:1192456----a-w-c:\users\Mary Kate\AppData\Local\GDIPFONTCACHEV1.DAT 2010-01-03 01:34 . 2007-01-19 00:10--------d--h--w-c:\program files\InstallShield Installation Information 2009-12-20 00:21 . 2009-12-20 00:20--------d-----w-c:\users\Mary Kate\AppData\Roaming\GTek 2009-12-19 00:49 . 2008-11-04 03:461356----a-w-c:\users\Mary Kate\AppData\Local\d3d9caps.dat 2009-12-13 15:18 . 2007-06-04 20:4020274----a-w-c:\users\Mary Kate\AppData\Roaming\wklnhst.dat 2009-12-12 23:30 . 2009-12-12 22:34--------d-----w-c:\programdata\Lavasoft 2009-12-12 22:35 . 2009-12-12 22:17--------dc-h--w-c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} 2009-12-12 22:34 . 2009-12-12 22:34--------d-----w-c:\program files\Lavasoft 2009-12-11 02:17 . 2009-12-11 02:17--------dc----w-c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-12-11 01:30 . 2009-12-11 01:30--------d-----w-c:\programdata\AVP 2009 2009-12-03 02:34 . 2008-08-28 17:17--------d-----w-c:\programdata\avg8 2009-12-02 13:19 . 2009-12-12 23:3064288----a-w-c:\windows\system32\drivers\Lbd.sys 2009-12-02 13:19 . 2009-12-13 07:3415880----a-w-c:\windows\system32\lsdelete.exe 2009-11-09 13:34 . 2009-12-11 03:1224064----a-w-c:\windows\system32\nshhttp.dll 2009-11-09 13:30 . 2009-12-11 03:1131232----a-w-c:\windows\system32\httpapi.dll 2009-11-09 11:17 . 2009-12-11 03:11396800----a-w-c:\windows\system32\drivers\http.sys 2009-10-29 07:59 . 2009-12-02 04:412048----a-w-c:\windows\system32\tzres.dll 2009-10-27 15:05 . 2009-12-11 02:35832512----a-w-c:\windows\system32\wininet.dll 2009-10-27 15:01 . 2009-12-11 02:3556320----a-w-c:\windows\system32\iesetup.dll 2009-10-27 15:01 . 2009-12-11 02:3578336----a-w-c:\windows\system32\ieencode.dll 2009-10-27 14:59 . 2009-12-11 02:3572704----a-w-c:\windows\system32\admparse.dll 2009-10-27 12:27 . 2009-12-11 02:3526624----a-w-c:\windows\system32\ieUnatt.exe 2009-10-27 10:56 . 2009-12-11 02:3548128----a-w-c:\windows\system32\mshtmler.dll 2007-06-28 20:43 . 2007-06-28 20:43774144----a-w-c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264] "NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704] "KMCONFIG"="c:\program files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-1-18 34520] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup backupExtension=.CommonStartup [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-01-12 02:1639792----a-w-c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor] 2007-04-03 13:54753664----a-w-c:\windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-06-02 15:13267048----a-w-c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50413696----a-w-c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-01-19 01:1177824----a-w-c:\program files\Java\jre1.6.0\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2008-06-15 23:11185896----a-w-c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] 2009-09-04 17:16158448----a-w-c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/12/2009 6:30 PM 64288] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896] R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 6:04 PM 9728] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328] R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 3:29 AM 29178224] S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [1/29/2007 8:56 PM 451072] S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [12/14/2007 12:48 PM 5120] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [4/20/2007 5:44 PM 307984] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = .local FF - ProfilePath - c:\users\Mary Kate\AppData\Roaming\Mozilla\Firefox\Profiles\8eegdjyd.default\ FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\users\Mary Kate\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll FF - plugin: c:\users\Mary Kate\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-19 16:25 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WUDFHost.exe c:\windows\System32\rundll32.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\System32\rundll32.exe c:\program files\Mouse Driver\KMConfig.exe c:\windows\ehome\ehmsas.exe c:\program files\Mouse Driver\KMProcess.exe c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe c:\program files\Zune\ZuneNss.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\system32\lpremove.exe c:\windows\system32\lpksetup.exe . ********************************************************************** . Completion time: 2010-01-19 16:42:02 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-19 21:41 ComboFix2.txt 2010-01-14 23:27 ComboFix3.txt 2010-01-14 22:25 ComboFix4.txt 2010-01-13 17:42 ComboFix5.txt 2010-01-19 21:02 Pre-Run: 34,275,840,000 bytes free Post-Run: 34,208,948,224 bytes free - - End Of File - - 2190D2E7CF078A1962618EFEA1D5FC2A Download GMER Rootkit Detector** and save it your desktop. * Extract it to your desktop and double-click GMER.exe * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All". * Click the Rootkit tab and then Scan. * Don't check the Show All box while scanning in progress! * When scanning is finished click Copy. * This copies the log to clipboard * Post the log in your reply.Hi, I TRIED doing the gmer rootkit scan twice. Both times I got the crash dump blue screen after more than an hour. It said: page_fault_nonpage_areaThat's about the third time that has happened. I'll have to check what's wrong with the program. I'll be back.OK, thank youTry running this before the GMer Rootkit scan to see if it makes any difference. BTW, I tried Gmer on my computer. It ran ok but I stopped it in mid-scan. When I tried to save the log, it froze my computer. Download DeFogger by jpshortstuffand save it to your desktop. * Double click DeFogger.exe to run the tool. * The application window will appear. * Click the Disable button to disable your CD Emulation drivers * Click Yes to continue. * A 'Finished!' message will appear. * Click OK. * DeFogger will now ask to reboot the machine...click OK. IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. To re-enable your Emulation drivers, double click DeFogger to run the tool. * The application window will appear. * Click the Re-enable button to re-enable your CD Emulation drivers. * Click Yes to continue. * A 'Finished!' message will appear. * Click OK * DeFogger will now ask to reboot the machine, click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop. Your Emulation drivers are now re-enabled.Sadly, that did not work. I followed the defogger steps, but when I ran gmer, I got the blue screen again. Page_fault_in_nonpaged_area 0x00000050 (0x8C800000B, 0x00000000, 0x9583oF60, 0x00000000) ThanksOk. Follow the directions to re-enable your emulation drivers as described in the previous post. I'll check this out further and be back when I have more information.OK! How is your computer working now? Any redirects?I've been the internet pretty frequently over the last couple of days and have not stumbled across any redirects, which is great. I've also noticed a couple other minor problems I was having have disappeared. Ok. If there are no other issues we'll do some clean-up. You can uninstall HJT, delete Defogger, Gmer Rootkit detector and ESET. You can keep SAS and MBAM. Update them and run them about once a week depending on your internet activity. ----------------------------------------------------------------------------------------------------------------------- * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above PROCEDURE will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ------------------------------------------------------------------------------------------------- Clean out your TEMPORARY internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------------------------------------------------------------------------------------------------------- Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and UNRELIABLE shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth. Safe Surfing!OK, thanks a lot for all of your help!!

Discussion

No Comment Found

Related InterviewSolutions