Bernadine,

Let's run through the steps in Prework, located in my signature. This will guide you through the tried and tested method for Malware Removal here at PCHF. Once you have completed the steps please post back with the resulting logs and we'll go from there. If you are indeed infected this will tell us

Hi Crush,

First thanks for your reply. I finally had the time and courage to do this.

First, when I disabled the System Restore, besides preventing reinfection, what else will it do/not do?

I downloaded and did a full scan with the Malwarebites, there were no infections or malicious items found.

I downloaded and ran hijackthis, with the following results: (I looked through all below and didn't see anything that looked like a username or other information, but I'm not sure, could you please check?)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:37 PM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\WordPerfect Office 12\Programs\alarm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Games\Free Cell\Fcpro6.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R3 - URLSearchHook: (no name) - *{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=031109 serial=WP12WEX-0006422-RDN
O4 - HKLM\..\Run: [HP Update 4300C] C:\PROGRA~1\sj657\hpupdate.exe 4300C
O4 - HKLM\..\Run: [fontnav] "D:\Program Files\Corel\Shared\WordPerfect Office 2000\Font Navigator\FontNav.exe" *1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pareto_Update] C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\WordPerfect Office 12\Programs\alarm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229028826503
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5458B69-2D3B-44B1-871C-3982AC969B3A}: NameServer = 64.136.173.5 64.136.164.77
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

--
End of file - 8127 bytes

Will either of these new programs be incompatible with AVG Virus Scan, Comodo Firewall or Trend MicroBotted, which started this whole thing?

Finding things back here is confusing, so how will I know when I get an answer? And of course you'll send that answer to the same place that I may not be able to find. I always feel like I'm running around in mad circles when I try to do anything on a computer.

Thanks,

Bernadine

Bernadine.

Welcome back!

Disabling System Restore allows for a quick way to clear out all the system restore points, infected or otherwise.

The drawback is, we then don't have anything to go back to should the machine "go south" from here.

Rest assured, we won't ever have that problem,nor the need to revert, if you're dealing with a Tech here at PCHF

Could I see the log please?

It doesn't look like you have anything personally identifying you in the log, you're all good .

Nope. and we can uninstall any that you don't want after the disinfection is complete. I recommend keeping Malwarebytes as it is a fabulous program.

Hehe so I guess taking apart and putting back together the PC is out of the question huh?

It's really easy to keep track of your threads. If you haven't changed any of your settings in your User Control Panel, you will be notified via e-mail when I make a reply to the thread. The link supplied to you in the e-mail will take you directly to this thread.

Now, on to further fixes:

I see some issues in your HijackThis log but, we'll deal with those at the end.

Let's just make sure nothing is hiding. If you have any more questions or issues pertaining to anything, or specifically when running through the below fixes please stop and ask.

First. This will show me more of your files.

Please download DDS and save it to your desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
or here:
http://www.forospyware.com/sUBs/dds

Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs
DDS.txt
Attach.txt

Save both reports to your desktop.
========================

Next, please go HERE to run Panda ActiveScan 2.0

• Click the big green Scan now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• Once the scan is completed, please hit the notepad icon next to the text Export to:
• Save it to a convenient location such as your Desktop

Copy/Paste the contents of 'DDS.txt' and ActiveScan.txt in your next reply.

These other two logs ...
* attach.txt
* ark.txt
... should be zipped/archived before attaching to the reply as well

Hi Crush,

Here are the results of the Malwarebites:

Malwarebytes' Anti-Malware 1.40
Database version: 2736
Windows 5.1.2600 Service Pack 3

9/3/2009 1:48:59 PM
mbam-log-2009-09-03 (13-48-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150349
Time elapsed: 1 hour(s), 18 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will have to do the rest of the items you listed when I'm not so tired, and my head isn't spinning after dealing with the computer today. Even though your directions are clear, I have to think hard about what I'm doing.

"Hehe so I guess taking apart and putting back together the PC is out of the question huh? " Yes go ahead and laugh! And actually, with good directions, considerable amounts of encouragement and courage, and lots of time to rest in between, I think I could take a computer apart and put it back together. But I'd rather not!

Oh, and I'm so glad a reply was emailed so I could find this back again. It took me quite a while to find it for my first reply (problem developed while learning new email)

Hehe from me too,

Bernadine

Bernadine,

No problem. We'll still be here. So far, everything looks fine.


Let's prep the patient for surgery doctor!!

I look forward to your next reply. We'll get this vanquished

Hi Crush,

I'm back finally and I think I've almost completed your instructions. I have attached the scans, however I think I have missed one, maybe. The ark.txt I think I've missed. If I have could you please direct me to it and I will do that because mow I have gotten lost in all the instructions. It's not the instructions, they have been clear, I just couldn't do all of it at once and basically couldn't find my way back to where I left off.

Not quite so as before, thanks,

Bernadine