Question

How do I remove several dangerous system 32 dll files

Asked by: plaidie

I had Verizon and Hewlett Packard helping me because of disconnections from the internet, settings changing by themselves, modem light turning red.  Verizon finally came in and said it was viruses due to using Limewire.  I had Norton security and Spysweep for spyware.  Windows Defender never found anything and neither did Norton.  I now hav Trend Micro which I purchased and RemoveitPro which found the viruses finally.  I used to be able to remove them but now I can't.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-11 at 05:37:45ID24802674
Topics

HijackThis Software

,

Windows Registry Cleaners

,

Windows Network Security

Participating Experts
2
Points
500
Comments
29

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Anti Virus Solution - Panda v Trend Micro.......?
    I am looking for a site that compares the major Anti-virus players in the market right now: Mcafee, Norton, Panda, CA & Trend Micro......My organization is currently using CA's eTrust InnoculatIT v 6.0. We are looking to switch shortly Any site\links that you know that ...
  2. Compare eTrust to Trend Micro
    We are currently running CA's eTrust version 7.0.139. We have not been very pleased with the protection or administrative maintenance over the last year and are considering a software switch. However, there is an upgrade to eTrust version 8 available, that supposedly correc...
  3. pe_virux.a (trend micro) infects every .exe new virus
    one of our pc's has every .exe file infected with the virus, when I run a trend micro scan it attempts to quarrantine all of these files including things like notepad, explorer, iexplore etc. this is obviously not a good solution. does anyone know what this virus does and or ...
  4. Looking for Trend Micro Alternatives
    We are currently getting ready to renew our Trend Micro and I was interested in looking at alternatives before we renew. Basically we just need a good spyware/virus protection program for an enterprise environment. We don't necessarily need to change, but I want to make s...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Admin3kPosted on 2009-10-11 at 05:41:34ID: 25545727

First off, try running full antivirus scans in safe mode, usually this technique will help your antivirus do a better job, as the Malware is usually inactive in safe mode.

if the problem persists, we may need to take a look at a hijack this log

 

by: rpggamergirlPosted on 2009-10-11 at 06:01:05ID: 25545766

Also try scanning with MalwareBytes and Combofix and show us the logfiles.
IF the tool won't run at first go, redownload and rename the file before saving to your desktop.


Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php
 
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

by: plaidiePosted on 2009-10-11 at 09:01:55ID: 25546340

I have done as you suggested and nothing is found.  The combofix deleted some files but then I am disconnecting again and RemoveitPro still says I have the same infected files.  I am going to try to send the logs but this is something I don't do all the time so please note that I am knowledgeable in lots of areas but not in others so please advise.

Thanks for your time.

Margaret Avila

  • ComboFix.txt
    • 22 KB

    I dont really know how to read these files but I know some were deleted and quarantined but things are the same.

 

by: rpggamergirlPosted on 2009-10-12 at 02:24:00ID: 25549585

I had a quick looked at the CF log, haven't thoroughly checked it.
Did RemoveItPro give you a log of the bad system32 dll files that you're talking about?

Note also that you only need one anti-malware program with real-time protection.

 

by: plaidiePosted on 2009-10-13 at 05:15:51ID: 25559094

I had e-mailed them and they requested sending the file but when I went in there is a file but it's not in Notepad and Notepad is blank.  The reason I used other programs is to see if they could show anything.  Why do all the others show nothing?  I used Comfofix as directed by your experts, hijackthis  but don't understand the files, malwarebytes which showed nothing, and the Microsoft malicious software tool which shows nothing.  I had Norton security but the phishing filter kept turning off when I turned it on, so I put back Trend Micro that I had purchased previously, and it blocks everything.  It does find things but I don't think they are related to this problem  I do have Hijackthis files and am going to scan again with RemoveitPro and see what I can do about sending that file.  I am pretty good with the computer but understanding all these files is not one of my specialties.

The computer is running a lot better and pages are opening the way they should.  My security settings are good, but I am still disconnecting from the internet now and again.  When I went on this morning, the internet light was green but I couldn't get any connection so I reset the modem and then it was fine. Verizon says unless the DSL light goes out nothing is wrong on their end.

 

by: plaidiePosted on 2009-10-16 at 13:24:17ID: 25593026

I am still having problems getting booted off the computer and the infections are still there.  I have been dealing with the owner of Incode Solutions who sells RemoveItPro  He has treated me like I am a dummy because the program would not allow me to send him a saved log file.  Today I finally narrowed it down to my protection not allowing things to happen.  I still cannot fix all but it's getting down.  I am going to send a hijackthis log file that I just did.  I see some files that have shown up on the latest scan but am afraid to do anything.  The hijackthis log doesn't tell you enough information.  Here goes nothing.
Margaret Avila (plaidie50@aol.com)Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:06 PM, on 10/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVGLS\avgtray.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOL Radio Toolbar Search Class - {69224684-5682-419b-9fe4-ef7946ee3319} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Radio Toolbar Loader - {2abdb2f7-4cbf-4939-ba12-fddc827b6a2d} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVGLS\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: AOL Radio Toolbar - {9167da98-6f9b-46f1-991d-826cae46cab6} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVGLS\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] "RtHDVCpl.exe"
O4 - HKLM\..\Run: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVGLS\avgtray.exe
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\RunOnce: [C:\WINDOWS\System32\DriverStore\FileRepository\hpkiwiz.inf_1f3ba0ef\UCI32M27.dll] cmd.exe /c RD /S /Q "C:\WINDOWS\System32\DriverStore\FileRepository\hpkiwiz.inf_1f3ba0ef\UCI32M27.dll"
O4 - HKLM\..\RunOnce: [C:\WINDOWS\System32\DriverStore\FileRepository\trx200cz.inf_ec277200\UCI32M27.dll] cmd.exe /c RD /S /Q "C:\WINDOWS\System32\DriverStore\FileRepository\trx200cz.inf_ec277200\UCI32M27.dll"
O4 - HKLM\..\RunOnce: [C:\WINDOWS\winsxs\x86_microsoft-windows-a..upgrade-homepremium_31bf3856ad364e35_6.0.6001.18000_none_7637afe14cd3733b\WindowsAnytimeUpgradeCPL.dll] cmd.exe /c RD /S /Q "C:\WINDOWS\winsxs\x86_microsoft-windows-a..upgrade-homepremium_31bf3856ad364e35_6.0.6001.18000_none_7637afe14cd3733b\WindowsAnytimeUpgradeCPL.dll"
O4 - HKLM\..\RunOnce: [C:\WINDOWS\winsxs\x86_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.6001.18702_none_eb622404d6d4cb81\SetIEInstalledDate.exe] cmd.exe /c RD /S /Q "C:\WINDOWS\winsxs\x86_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.6001.18702_none_eb622404d6d4cb81\SetIEInstalledDate.exe"
O4 - HKLM\..\RunOnce: [C:\WINDOWS\winsxs\x86_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.6001.18702_none_0ad3f877399acafc\RegisterIEPKEYs.exe] cmd.exe /c RD /S /Q "C:\WINDOWS\winsxs\x86_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.6001.18702_none_0ad3f877399acafc\RegisterIEPKEYs.exe"
O4 - HKLM\..\RunOnce: [C:\WINDOWS\winsxs\x86_microsoft-windows-ie-gc-setdepnx_31bf3856ad364e35_8.0.6001.18702_none_9396116207a33bbc\SetDepNx.exe] cmd.exe /c RD /S /Q "C:\WINDOWS\winsxs\x86_microsoft-windows-ie-gc-setdepnx_31bf3856ad364e35_8.0.6001.18702_none_9396116207a33bbc\SetDepNx.exe"
O4 - HKLM\..\RunOnce: [C:\WINDOWS\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18813_none_fe736e6ecfcf28ff\iesysprep.dll] cmd.exe /c RD /S /Q "C:\WINDOWS\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18813_none_fe736e6ecfcf28ff\iesysprep.dll"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [HPAdvisor] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autorun=AUTORUN
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVGLS\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG LinkScanner® WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVGLS\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11641 bytes

 

by: rpggamergirlPosted on 2009-10-17 at 04:04:30ID: 25595604

How many anti-malware programs you have installed and running there? You only need one with real-time protection, having more than one with realtime protection will just conflict each other. So just have one and uninstall the others.

IObit Security 360
AVG Anti-spyware?
Windows Defender
SpySweeper
MalwareBytes (I assume just an on-demand scanner)

I'm not really keen with RemoveItPro, it used to be listed in the rogue/suspect scanners, nor am I keen with IObit products.

Can you scan again with RemoveItPro and take a screenshot of the result and attach it here to show us please. I'm curious what file it is flagging and where it is located.

Other thing you can do is do an online scan with Kaspersky and see if it detects it, you would need to save the log because Kaspersky doesn't remove any threats that it finds.
http://www.kaspersky.com/virusscanner

 

by: plaidiePosted on 2009-10-17 at 08:30:50ID: 25596149

Most of these are gone--I guess some of the files are still showing up.  I did a Kaspersky scan with a 30 day trial and I do have the RemoveItPro report.  It seems that everytime it changes.  I also have a saved log from Iobit Advanced Security. I will send the most important one now.    I RemoveIT Pro v7 Enterprise (Build date: 27.6.2009) log.
Generated at: 10/17/2009 on 11:02:54 AM
Microsoft Windows Vista Home Edition Service Pack 1 (Build 6001)

11:02:54 AM: Scanning, please wait...
11:05:10 AM: Infected file (Sys32.iesysprep) C:\Windows\system32\iesysprep.dll -> No action taken.
11:05:41 AM: Infected file (Sys32.registeriepkeys) C:\Windows\system32\registeriepkeys.exe -> No action taken.
11:05:44 AM: Infected file (Sys32.setdepnx) C:\Windows\system32\setdepnx.exe -> No action taken.
11:05:44 AM: Infected file (Sys32.setieinstalleddate) C:\Windows\system32\setieinstalleddate.exe -> No action
taken.
11:06:00 AM: Infected file (Sys32.windowsanytimeupgradecpl) C:\Windows\system32\windowsanytimeupgradecpl.dll
-> No action taken.
11:06:41 AM: 5 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
11:13:21 AM: Scanning, please wait...
11:14:14 AM: Infected file (Sys32.registeriepkeys) C:\Program Files\InCode Solutions\RemoveIT Pro v7
Enterprise\Quarantine\RegisterIEPKEYs.exe -> No action taken.
11:14:14 AM: Infected file (Sys32.setdepnx) C:\Program Files\InCode Solutions\RemoveIT Pro v7
Enterprise\Quarantine\SetDepNx.exe -> No action taken.
11:14:14 AM: Infected file (Sys32.setieinstalleddate) C:\Program Files\InCode Solutions\RemoveIT Pro v7
Enterprise\Quarantine\SetIEInstalledDate.exe -> No action taken.
11:14:14 AM: Infected file (Sys32.windowsanytimeupgradecpl) C:\Program Files\InCode Solutions\RemoveIT Pro v7
Enterprise\Quarantine\WindowsAnytimeUpgradeCPL.dll -> No action taken.
11:17:15 AM: Infected file (Sys32.windowsanytimeupgradecpl) C:\WINDOWS\winsxs\x86_microsoft-windows-
a..upgrade-
homepremium_31bf3856ad364e35_6.0.6001.18000_none_7637afe14cd3733b\WindowsAnytimeUpgradeCPL.dll ->
No action taken.
11:17:23 AM: Infected file (Sys32.setieinstalleddate) C:\WINDOWS\winsxs\x86_microsoft-windows-i..-
setieinstalleddate_31bf3856ad364e35_8.0.6001.18702_none_eb622404d6d4cb81\SetIEInstalledDate.exe -> No
action taken.
11:17:25 AM: Infected file (Sys32.registeriepkeys) C:\WINDOWS\winsxs\x86_microsoft-windows-ie-gc-
registeriepkeys_31bf3856ad364e35_8.0.6001.18702_none_0ad3f877399acafc\RegisterIEPKEYs.exe -> No action
taken.
11:17:25 AM: Infected file (Sys32.setdepnx) C:\WINDOWS\winsxs\x86_microsoft-windows-ie-gc-
setdepnx_31bf3856ad364e35_8.0.6001.18702_none_9396116207a33bbc\SetDepNx.exe -> No action taken.
11:17:26 AM: Infected file (Sys32.iesysprep) C:\WINDOWS\winsxs\x86_microsoft-windows-ie-
sysprep_31bf3856ad364e35_8.0.6001.18828_none_fe6d9ff4cfd2c3a3\iesysprep.dll -> No action taken.
11:18:26 AM: 14 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
Finished...

 

by: plaidiePosted on 2009-10-17 at 08:34:03ID: 25596157

Here's the one from Kaspersky.  As far as I could tell there were vulnerabilities, but no detections of infections.Date: Today   (events: 18)      
My Update Center   (events: 2)      
10/17/2009 9:32:00 AM      Task started                                    Kaspersky Anti-Virus                  My Update Center            
10/17/2009 9:38:53 AM      Task completed                                    Kaspersky Anti-Virus                  My Update Center            
Objects Scan   (events: 4)      
10/17/2009 10:11:29 AM      Task started                                    Kaspersky Anti-Virus                  Rootkit Scan            
10/17/2009 9:57:08 AM      Task started                                    Kaspersky Anti-Virus                  Full Scan            
10/17/2009 10:19:38 AM      Task completed                                    Kaspersky Anti-Virus                  Full Scan            
10/17/2009 10:12:18 AM      Task completed                                    Kaspersky Anti-Virus                  Rootkit Scan            
IM Anti-Virus   (events: 2)      
10/17/2009 9:41:17 AM      Task started                                    Kaspersky Anti-Virus                  IM Anti-Virus            
10/17/2009 9:31:14 AM      Task started                                    Kaspersky Anti-Virus                  IM Anti-Virus            
Proactive Defense   (events: 2)      
10/17/2009 9:41:17 AM      Task started                                    Kaspersky Anti-Virus                  Proactive Defense            
10/17/2009 9:31:31 AM      Task started                                    Kaspersky Anti-Virus                  Proactive Defense            
Web Anti-Virus   (events: 2)      
10/17/2009 9:41:17 AM      Task started                                    Kaspersky Anti-Virus                  Web Anti-Virus            
10/17/2009 9:31:31 AM      Task started                                    Kaspersky Anti-Virus                  Web Anti-Virus            
Mail Anti-Virus   (events: 2)      
10/17/2009 9:41:17 AM      Task started                                    Kaspersky Anti-Virus                  Mail Anti-Virus            
10/17/2009 9:31:31 AM      Task started                                    Kaspersky Anti-Virus                  Mail Anti-Virus            
File Anti-Virus   (events: 2)      
10/17/2009 9:41:17 AM      Task started                                    Kaspersky Anti-Virus                  File Anti-Virus            
10/17/2009 9:31:14 AM      Task started                                    Kaspersky Anti-Virus                  File Anti-Virus            
My Protection   (events: 2)      
10/17/2009 9:39:54 AM      Protection is not running                                    Kaspersky Anti-Virus                              
10/17/2009 9:31:14 AM      Databases are obsolete                                    Kaspersky Anti-Virus                              

 

by: plaidiePosted on 2009-10-17 at 08:35:42ID: 25596162

This is the Iobit report.Logfile of IObit HijackScan v0.2.0.0
Scan saved at 9:23:12, on 2009-10-17

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe
C:\WINDOWS\explorer.exe
C:\Windows\system32\taskeng.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: AOL Radio Toolbar - {9167da98-6f9b-46f1-991d-826cae46cab6} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [HPAdvisor] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autorun=AUTORUN
O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [RtHDVCpl] "RtHDVCpl.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} -
O9 - Extra button: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} -
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_16 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}Java Plug-in 1.6.0_01 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}Java Plug-in 1.6.0_16 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_16 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DCOM Server Process Launcher - Unknown -
O23 - Service: Diagnostic Policy Service - Unknown -
O23 - Service: Windows Media Center Service Launcher - Unknown - %windir%\system32\svchost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Group Policy Client - Unknown -
O23 - Service: Google Software Updater - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Windows CardSpace - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Net.Tcp Port Sharing Service - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Quality Windows Audio Video Experience - Unknown - %windir%\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) - Unknown -
O23 - Service: Security Accounts Manager - Unknown -
O23 - Service: Secondary Logon - Unknown - %windir%\system32\svchost.exe
O23 - Service: Distributed Link Tracking Client - Unknown -
O23 - Service: Windows Modules Installer - Unknown -
O23 - Service: Diagnostic Service Host - Unknown -
O23 - Service: Diagnostic System Host - Unknown -
O23 - Service: Windows Media Player Network Sharing Service - Unknown - %ProgramFiles%\Windows Media Player\wmpnetwk.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

by: rpggamergirlPosted on 2009-10-17 at 16:22:29ID: 25598005

RemoveItPro is more trouble than it's worth.
Those files it flagged as infected are all legit files.....but let's assume RemoveItPro is right and those files are patched, then why didn't Kaspersky detect them?

You can also have those files scanned online at http://virusscan.jotti.org/

RemoveItPro used to be listed as a rogue product and I'll say it's still not a reliable scanner today.

If it was me, I would uninstall it and also IObit Security 360.

 

by: plaidiePosted on 2009-10-18 at 14:22:42ID: 25601486

I did remove IObit Security 360 but Verizon said I had viruses and that is why I keep getting disconnected from the internet.  I cannot seem to solve that problem.  What is Random X?  I sent the log to the owner of RemoveItPro and haven't heard from him after paying fifteen dollars for it.That's okay because I filed a complaint against him.  I used to always use the free one and it always removed things, but once I got Vista I could never download it again until recently.  My modem line was tested four times and there was no problem but it's very frustrating to be doing something important and suddenly lose everything.  Please let me know what you think.  I can't seem to be able to send the log to be scanned.  Don't know what I am doing wrong.

Thanks for your time,
***Email removed by rpggamergirl, Zone Advisor***

 

by: rpggamergirlPosted on 2009-10-19 at 06:09:08ID: 25604792

I think those files that RemoveItPro flagged as infected are just false positives if Kaspersky didn't flag them.

Let's try uninstalling some unnecessary programs, if you have the anti-spyware turned on in your TrendMicro Internet Security then uninstall Spysweeper, AVG, Windows Defender and also RemoveItPro.

You did not need to buy RemoveItPro if TrendMicro is already providing you with anti-malware protection, and even if it wasn't, there are far more reliable anti-malware programs out there.

The disconnection problem isn't necessarily caused by viruses, but we can still run other scanners, rootkit scanners(free ones) like Gmer or Rootkit Revealer or RootRepeal.

First remove some programs that aren't necessary, the problem could be due to hardware/software conflicts.

You might also try these online scanner, if it finds any viruses it will remove it.
http://www.pandasecurity.com/homeusers/solutions/activescan/

 

by: plaidiePosted on 2009-10-20 at 08:03:46ID: 25614896

Good Morning,

I thought things were better but it just happened again.  Let me clarify that I did not have all those programs on my computer until I saw that report from RemoveItPro and figured that the protection I did have was useless.  I did a system recovery last nigiht so all the extra stuff is gone.  Doing that gave me back my Norton Security  60 day trial.  The only thing with that was the phishing filter kept getting turned off by itself.  I am going to run the filter through Windows.

I did the Panda scan that you suiggested.  It found ten infections but does not remove them unless you buy the program.  They were cookies and had low risk and I did notice that when they were found, the modem light was red,  but then it came back on by itself.  I only have the Norton right now and Windows Defender which came with the computer but I have never felt safe with that because it has never found anything on the computer.  The AVG that I put on was a link scanner that seemed to be helpful but what do I know?  Anyway It is still happening but I think we are a little closer to a solution( I HOPE)
I am going to try the olther scans you suggested and see what happens.

Thanks so much for your help,
Margaret Avila

 

by: plaidiePosted on 2009-10-21 at 08:20:10ID: 25624835

I wanted to report that a miracle did happen.  Yesterday (Tuesday) the computer lost the connection three times.  I had removed all the extra programs so I said  something is still not right.  Last night I decided to find the free version of RemoveItPro and use it for the heck of it.  I like that one because it offers the quarantine option and the paid one does not.  So I scanned and lo and behold there were fifteen infections.  Big surprise.  This time I tried to quarantine them.  I was able to and then I cleared the quarantine.  I scanned again and there they were again!!  This time I tried to fix them.  I was able to fix twelve which left three.  I disabled system restore and then restarted the computer.  When I scanned again there are none!!! I'm clean!!!  I did worry because when I got the clean report the internet light had turned red but turned green in a few seconds.  So then I went and got the one I paid for and tried that one since it never really worked right.  It too says I'm clean.  So now I am watching to see if I get booted off any more. Hopefully not and I will be eternally grateful.  But I do have to say that I have trusted RemoveItPro in the past.  My brother is very skeptical with computers and he advised me to get it.  So I have to say right now Ithings are looking good and I know i shouldn't keep both of the programs, but right now I am paranoid and they don't seem to be hurting anything at the moment.

Thanks so much and I will let you know if there is any further problem.
plaidie50

 

by: rpggamergirlPosted on 2009-10-21 at 22:39:21ID: 25631082

I, on the other hand don't trust it because of its bad history.

But if you like it, then that's good.
Glad to know it works for you, :)


 

by: plaidiePosted on 2009-10-22 at 07:35:20ID: 25634700

I just had typed you another note and I just lost the connection so here I go again.  First of all please don't misunderstand.  I certainly appreciated all your help and advice and we did get a lot closer to a solution, but the red light is still happening.

Yesterday I was reinstalling my printer and the light turned red for about three minutes and turned green again by itself.  Then last night I was on the internet and RemoveItPro sent an alert that I had a dangerous file and should scan my computer and that has never happened before.  I got offline and scanned and sure enough the infection was found.  As soon as that happened the light turned red for about five minutes.  I then quarantined and tried to fix and it worked.  As soon as it was gone the light turned green by iitself again.  Should this be happening if the infections are gone?  I know just now I was typing to you and I lost the whole message so this time I was online. What else could it be?  Drivers, settings,  I don't know any more.

Thanks again,
plaidie50

 

by: plaidiePosted on 2009-10-26 at 08:09:06ID: 25663000

Hello,
I thought I would give you an update.  I have been monitoring very closely and I am still having the same problem   I have been scanning every day and as of right now I am clean according to RemoveItPro, but I still have the red light.  I was up to seventeen infections but was able to clean everything.  As of yesterday I only had one.   I just got off the phone with Verizon telling them that before it happens the DSL light flashes,  then the internet light goes out,  and then turns red for exactly five minutes and turns green again.  She tested my line and found nothing.   I did notice that when I was doing updates and even being offline it was turning red.  I have never had the problem of infections returning but when I restart after doing updates, most of the time I find some infections again.  I don't know if you have any new ideas.  I have used the malicious software removal tool and Ad-aware Malware program and nothing was found but I did have the symptoms.  Now my computer is working better than it has in a long time as far as speed, settings, opening pages, things seem great.  One thing I did notice was I could not get the service pack 2 update.  It would stop at 96% and then revert back.  I am going to see today if the same thing happens but yet I am getting all the other updates without a problem.

That's all for now.  I hope maybe you can shed some light on this very frustrating situation.
Thanks,
plaidie50 (Margaret Avila)

 

by: rpggamergirlPosted on 2009-10-27 at 06:21:25ID: 25672070

Are those 17 infections that RemoveItPro the same files from before? legit files?
Kaspersky didn't find any threat which is usually very thorough scanner so it's weird.

Let's try running rootkit scanners. Gmer and RootRrepeal

1.  Download the GMER Rootkit Scanner. Unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.



2.  Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors:
http://rootrepeal.googlepages.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.zip
Rar Mirror:
http://ad13.geekstogo.com/RootRepeal.rar


Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:

o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

 

by: plaidiePosted on 2009-10-27 at 17:36:44ID: 25679086

I have already done the Gmer scan and it found nothing.  Also the RootRepeal wouldn't work.  Right now the computer is working better than it has in a while.  The speed is great, I was able to finally get security pack 2 because I worked on it Sunday and my videos which always buffered are playing like tv.  I'm afraid to screw things up again.  I have been clean since this morning and when I scanned I only had two infections.  That's a big change from before.  I am also getting HP updates and before it always said there were none available.  The only problem right now is the disconnect.  The funny thing is it went out Monday and today at exactly the same time and stayed red for five minutes both times.  Isn't that strange to you?  I might attempt doing the scans tomorrow but I just got done with research and read about the Windows Live TotalCare Safety scanner and it did a deep scan for everything and found nothing so I am losing faith in all these programs.  It's really a puzzle but I did see sys.32.symlcsv1 in two places and I was able to clean both with RemoveItPro.  I don't know what else to say.

Thanks for being in touch.
plaidie50

 

by: rpggamergirlPosted on 2009-10-31 at 05:41:40ID: 25709502

Sorry for not being here to reply sooner.

Try renaming RootRepeal and see if it runs... did you get any error?
Yes, it's strange that other scanners found nothing while RemoveItPro did especially when Kaspersky didn't find anything either and it is a very thorough scanner.
I don't have much faith in RemoveItPro but I respect your decision. I'm glad to know that the pc seems to be running okay.

Please click on the "Request Attention" button to automatically post a request in the Community Support for the Mods to alert other Experts to look at this thread. Someone might have a solution to this issue.

 

by: plaidiePosted on 2009-10-31 at 15:56:12ID: 25711932

Before I do that I want you to know that I have monitored the modem and it does turn red every three hours at exactly the same time.  I'm not sure about nighttime but daytime is every three hours which is weird.  I even checked my settings to see if anything is set for three hours but found nothing.   The news is not so good either.  Wednesday I saw four infections, two of which cannot be cleaned or removed.  The names are weird, sys32.UIribbon and sys32.UIanimation.  I have searched dll files and done scans and find nothing.  Last night I had one called sys32.catchme.  That really got me upset.  I did do a scan with Sophos and it found about eight unknown hidden files with not a lot of information.  The recommendation was they could be removed but Sophos does not recommend this because it does not recognize these files.  So I sent them a log and I think I just got an answer back that I will check later.  I am starting to think that these files are bogus.  I don't know but by the computer's behavior, I don't know what to think.

My youngest daughter lives two hours from me and her neighbor fixes computers.  We all are on Facebook so I asked for his help and luckily tomorrow I am sending the tower for him to check with my oldest daughter since she and her family will be visiting her sister.   I am so mad at myself that I cannot figure this one out.  I used to be able to remove viruses with no problem but these files will not come up at all.  So I hope to get the computer back quickly but my daughter is sometimes difficult about having to bring things back to me quickly.
Thanks again,

plaidie (Margaret}

 

by: rpggamergirlPosted on 2009-10-31 at 17:13:04ID: 25712138

Can you list those unknown files that Sophos did not recognized?

The UIribbon could belong to Windows Ribbon Framework and UIanimation of  Windows Animation Manager but of course some nasties can masquerade as legit files also.
The catchme.exe or catchme.sys is also used by legit programs like combofix, haxfix, sdfix, etc it's a userland rootkit detector integrated in some scanners.

You would need to upload any files that you don't know(after looking at their properties) and have them scanned online at http://virusscan.jotti.org/
If you're using Search Companion to search for files you need to first configure Search to look for hidden files and folders because by default it will not search for hidden files even though you've already set explorer to show hidden files and folders. So make sure Search is configure to search for hidden files.

 

by: plaidiePosted on 2009-11-02 at 07:49:32ID: 25720426

I did send the log to Sophos and they sent a message that they would be getting back to me as soon as they did an investigation.  I tried to match up numbers and other things but they were just too evasive so the recommendation was to leave them alone.  I did check the search companion which I hardly use but it was checked to search hidden files and folders.  By the way I don't have my computer back but I am using my old tower right now.  I had to do some cleaning up since it still had all my information on it so I did a clean install of Windows XP and it was pretty good but the red light is still turning on every three hours at exactly the same time every day.  That is the most frustrating thing right now.  How could that be happening with two computers and it's a brand new modem?  Hopefully I will have the problems solved when I see my other computer.

Can you explain to me exactly how viruses travel.  If I connected this older one and it had infections which it did and it was sitting in the spare room for one year is that a problem?  I always scanned with RemoveItPro on this one also so I don't understand.  My point is am I going to infect the new one again?  Right now I am clean and I am able to fix the infections with no problem on XP.

Will be in touch.  The next time the red light should turn on will be around 12:25 P.M.  I just don't get it.

Thanks,
Margaret (plaidie50)

 

by: rpggamergirlPosted on 2009-11-02 at 21:47:46ID: 25726329

This doesn't sound like caused by viruses/malware if you reformatted the drive. This is also not likely an MBR rootkit because Combofix didn't seem to detect it. You could try Gmer or other rootkit scanners but it doesn't seem likely.

<<<"Can you explain to me exactly how viruses travel.  If I connected this older one and it had infections which it did and it was sitting in the spare room for one year is that a problem?  I always scanned with RemoveItPro on this one also so I don't understand.  My point is am I going to infect the new one again? >>> 

You mean moving the harddrive from the old pc and slave it into the new pc?
If the old harddrive has infections and you slave it into the new pc and you use it and open folders and run .exes etc.. then yes it can infect that way.
An infection can also infect another pcs via sharing files, even just sharing USB drives if the USB is infected.

 

by: plaidiePosted on 2009-11-03 at 08:34:31ID: 25730706

I am not really familiar with this aspect.  By slaving it do you mean removing and installing into the new pc?  I am trying to learn about all these things but this is new to me.  I was nervous because this older one is connected right now and I wonder if when I disconnect and reconnect the newer one that has just been repaired, will I reinfect it?  Right now the older one is clean.  I don't even know how it could have had twenty five infections since I always scanned it.  I did get word from the person who looked at my computer that he says my modem is timing out and I need to talk to Verizon about that but each time they run  a line test and say things are fine.  This is a new one for me but it is turning red every three hours online or off and then turns green again after six or seven minutes.  

I just saw also the report from Sophos but I haven't read it yet.  I will go back and maybe I can forward that to you also if it seems necessary to the subject at hand.

Thanks,

plaidie

 

by: rpggamergirlPosted on 2009-11-03 at 16:44:30ID: 25735446

<<<"I am not really familiar with this aspect.  By slaving it do you mean removing and installing into the new pc?">>>

I asked whether you mean slaving as I did not quite understand what you mean about connecting the old pc.
When I think about it you probably mean connecting the old pc to the internet. If you don't transfer files between 2 pcs.. and not share or plug same USB flash drive then it any viruses/infection won;t be able to spread between pcs and should be okay.


Reading back at my previous suggestion of uninstalling IOBit {http:#25598005}
<<<"If it was me, I would uninstall it and also IObit Security 360.">>>


Perhaps you might like to read this link so you'll be inform about IOBit Security:

IOBit steals MalwareBytes' Intellectual property:
http://www.malwarebytes.org/forums/index.php?showtopic=29681

 

by: plaidiePosted on 2009-11-04 at 17:32:51ID: 25746005

I did remove it when you told me to the first time.  I just have the necessary things now but I still don't have the original computer.  There was a mixup and it is still out of town with the computer person.  I am still using the old one.  Sounds like I will be okay when I get the other one back.  I am having Verizon back on Friday morning.  My friend who is fixing the PC said that it's not the computer but the modem timing out.  It has timed out every three hours at the same time every day.  Not just the new PC but with the old one connected so something is not right.

Anyway that's it for now and thanks so much for the information.  I know I have learned a hard lesson about surfing and being careful.  I still have found one infection on the older PC to do with settings and it keeps coming back even after I have fixed it.  I'm afraid to even use it any more.

plaidie (margaret)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...