trojan dos alureon.e

Hello,
About 4 weeks ago I ran microsoft securuity essentials and it came back saying that I had a threat: trojan dos alureon.e and it could not remove. After a little research (google) It seemed that this was an ugly threat. I came across a similar forum to this one and asked for help. I have followed the volunteer tech advise for three weeks but it seems like we are getting no where fast. I am hoping that I could have some here look at my problem (I will stopped taking the instruction from the other forum.)? I left off with the other forum trying to get through combofix, which never completed the full scan (coputer would freeze up). please let me know if you would like a copy of our forum disccusion to catch you up to speed. Also, after running Malwarebytes intially with the other forum, I lost my internet access. (during combofix, I get a popup saying : "rootkit.zeroaccess inserted itself in tcp/ip stack")

So now starting fresh with you, I have gone through the Read, Run steps. was not apble to complete all steps.
1. SuperAntiSpyware - success - attached log
2. Malwarebytes - I ran and it created a log but it did say that the version was outdated by 10 days, I did try to load the update but there were errors. (fyi-no internet connection, moving programs from one computer to the next) log attached
3. combofix- started the program, after 30 minutes I left the room(stuck on the screen saying that imay take 10 minutes or longer) came back and computer had restarted but can't find a log. (assuming that it didn't complete, fyi, I have tryed running combo fix more than 10 times, unsuccesful, over the past 3 weeks).
4. rootrepeat.rar - won't allow me to run, computer does not reconize the file type
5. MGTools.exe - I ran, but no log created. there is no folder for MGtools, only the .exe, which I downloaded directly to the desktop. I did get this message during the scan : MG tools:
application has generated an exception that couldnt be handled:
process id=0x1118 (4376), Thread id=0xcdc (3292).

I appreciate any help, thanks

 

Hi and welcome to Major Geeks, kasey22l!

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img707.imageshack.us/img707/9956/listparts.gif Please download ListParts by Farbar
Run the tool, click Scan and attach the log (Result.txt) it makes. (How to attach)

http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

Thanks for the quick response, attached are the requested reports

 

http://img684.imageshack.us/img684/3557/tdsskiller.gif Open TDSSKiller and run another scan just as you did earlier. Except when you see TDSS File System, allow TDSSKiller to delete it. Then attach the latest TDSSKiller log.

Code:

  Partition [COLOR="Red"][B]4[/B][/COLOR]    Primary           [B][COLOR="Red"]1872 KB[/COLOR][/B]   149 GB

Disk: 0
Partition [B][COLOR="Red"]4[/COLOR][/B]
Type  : 17 (Suspicious Type)
[B][COLOR="Red"]Hidden: Yes[/COLOR][/B]
Active: No

We have a partition that needs to be deleted. This is the root of most of your problems.

First I must ask, do you have your data backed up and do you have your Windows Vista CD/DVD?

We need to restore a clean Master Boot Record (MBR) with it.

Let me know before doing anything else.

 

fyi - I reread instructions for the MGlog and found the zip file

 

I do not have Vista CD and do not have data backed up. Should I continue with TDSS?

 

Yes

If you have anything that you wish to save, please backup the data to another source. This is a safety measure just incase I am unable to get your system booting after attempting to fix the MBR. Usually these tasks go without problem but just incase

Create a Windows Vista System Repair Disc

Try to follow the instructions in this guide: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html
Keep in mind that you have 32-bit version of Windows Vista.

Let me know if you were able to create this disk.

 

Here is TDSS log,
I will work on recovery disc. Feel free to send me the step, I wont act until I have a recovey disc and backed up data.

 

Preferably from a clean computer, I need you to download: gparted-live-0.11.0-7.iso (114 MB)

Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER
http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.83 MiB (1.83 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive? According to your logs, your OS drive is the 140.85 GB sized partition.
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from the Windows Vista Recovery Environment CD and execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows...

http://img707.imageshack.us/img707/6703/generalxpicon.gif Re-run another scan with MBRCheck and attach its latest log. (How to attach)

 

I didn't get far on the recovery disc. These instruction requires me to have the Vista retail disc.

 

I'm sorry to hear that. The problem with not having the Vista disc is that some of these latest infections are blocking attempts to modify the MBR while you are in Windows or while you are using the built in "Repair My Computer" feature.

We have a much higher success rate WITH the disc.

We can try a few things without a disc but I am not sure if they will work or not. The results are not consistent from what we have seen.

Let me know how you would like to proceed.

Regardless though, the first step will be to delete that partition marked in red (1.83 MB).

 

Works for me.

 

yeh, its working today for me, think the site was down last night. I am working on that step now.

 

Ok

 

partition deleted
attached MBRcheck

 

Good

Sometimes MBRCheck reports an unknown MBR just due to the way Hewlett-Packard sets up their partition tables.

Let's see what the below tool says before we do anything else:

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

aswMBR log,

I already had a version aswMBR on my computer from the last forum I was working with (3 weeks ago downlowloaded). I hope it works for you and not out of date? I see the old log is combined.

FYI - I really appreaciate your help and pace we have been moving at so far. I think we have done twice as much in 24 hours than the we did in 3 week with the other forum.

 

:cool

It is out of date. The latest version is v0.9.9.1120. Please download the newest version from the link provided.

Let me know how things are running with the partition being deleted.

 

here is the new log aswMBR

The computer seems to be running fine, not any different. still no internet connection.

FYI- I have been and still am getting a message at startup:
wlstartup - Entry Point not found

The procedure entry point?GetHeight@CRMImage@@QBEHXZ could not be located in the dynamic library UXCore.dll.

 

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

attached is the otl report. I have been searching for the extra.txt but can't find it. I did reopen OTL.exe and notice that the default on the Extra Registry is checked "None", (but Im not sure if that is related). please advise.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below. You can reinstall these once we are through with malware removal.

• Avira Free (if it is still present)
• LiveUpdate 3.2 (Symantec Corporation)
• LiveUpdate Notice (Symantec Corporation)
• Microsoft Security Essentials
• Napster Burn Engine
• Napster

Reboot

Now download and run Norton_Removal_Tool.exe

Reboot again.

SAS should not have been installed onto the desktop.

http://img7.imageshack.us/img7/2461/sase.gif Run the Uninstall.exe file on your desktop to uninstall SAS.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] --  -- (SymAppCore)
SRV - File not found [Auto | Stopped] --  -- (LiveUpdate Notice Ex)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (slabser)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (slabbus) DisplayKEY USB Cradle driver (WDM)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFlt)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsld5d38117)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl9949fbac)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl32cc3c73)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (cpuz134)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (blbdrive)
IE - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..Trusted Domains: lvarmls.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..Trusted Domains: netflix.com ([signup] * in Trusted sites)
O15 - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..Trusted Domains: netflix.com ([www] * in Trusted sites)
O15 - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..Trusted Domains: rapmls.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..Trusted Domains: rapmls.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3169625114-2507931809-1573453260-1000\..Trusted Domains: vvmls.com ([]http in Trusted sites)
O33 - MountPoints2\{40d5eb57-c2e1-11de-8853-001b2485a4be}\Shell - "" = AutoRun
O33 - MountPoints2\{40d5eb57-c2e1-11de-8853-001b2485a4be}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
O33 - MountPoints2\{45946bf3-1700-11df-bb5a-001b2485a4be}\Shell\AutoRun\command - "" = G:\slacker.synclauncher.exe
O33 - MountPoints2\{45946bf3-1700-11df-bb5a-001b2485a4be}\Shell\slacker\command - "" = G:\slacker.synclauncher.exe
O33 - MountPoints2\{8f87c093-0848-11e0-8b6c-001b2485a4be}\Shell\AutoRun\command - "" = H:\setupSNK.exe
O33 - MountPoints2\{a1a3f6ce-13cf-11de-b39a-001b2485a4be}\Shell\AutoRun\command - "" = G:\system\viewer\FlipVideoforPC.exe
O33 - MountPoints2\{a1a3f6ce-13cf-11de-b39a-001b2485a4be}\Shell\Flip Video for PC\command - "" = G:\system\viewer\FlipVideoforPC.exe
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
[2012/01/05 16:46:35 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{77768BB2-6A45-41BB-85BE-D7140FACE3FA}
[2012/01/05 11:54:00 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{3F96B189-C8BB-4F7A-B8A7-FC59A89EA537}
[2012/01/05 00:13:09 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{828D1CCC-3103-4C5A-BBFD-0F26EA7074EA}
[2012/01/04 22:50:41 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{1C8F0227-9536-4F3D-8623-AA2C29835B9E}
[2012/01/04 18:58:02 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{68EB11C1-A3EA-411C-96E2-BD9E173B5C3E}
[2012/01/04 11:35:28 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{D2DBF3DC-EB30-4DFE-8110-713CEC65F252}
[2012/01/04 10:50:02 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{C762A90A-975C-4F8A-8124-329EC4EDB66A}
[2012/01/04 10:43:53 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{D1F09219-A2C2-4C04-9CCA-CE6E84EE5476}
[2012/01/04 07:50:53 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{A40C55B4-295B-4839-A8FE-4CD7BEC2209E}
[2012/01/04 07:30:48 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{DF95700B-564E-4540-A9E1-756452FABD62}
[2012/01/02 20:24:23 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{C53439C1-4173-47FD-87DB-39B518E100F4}
[2012/01/02 14:58:52 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{2AF1E096-4F90-4360-AA43-C5B16F0D9B5F}
[2011/12/27 15:53:00 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{8680CDCF-BDE6-4D49-A7EE-7DE8972D7D3D}
[2011/12/27 15:19:41 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{26F31F27-8995-4652-A62B-6DDEDE3C872F}
[2011/12/22 23:02:25 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{28CEE9B2-EC28-4816-8B12-4607439634A8}
[2011/12/22 22:43:14 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{B1764D65-31AB-4320-AF92-F5A3E1DCFDE5}
[2011/12/19 19:59:17 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{31BC04F9-8B68-4428-B402-1799267AE25B}
[2011/12/19 19:06:25 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{23630B9C-7AEC-49BD-B367-44BD3BDF414F}
[2011/12/19 18:38:28 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{F3593DD4-9CC3-4ACA-B867-47A80967582A}
[2011/12/17 13:41:09 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{2C4750DE-16FE-46AB-887C-380B15CD5152}
[2011/12/17 13:40:06 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{4BB14F25-1054-43F4-BB4E-64E3B634715E}
[2011/12/15 22:57:19 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{3CA62C65-08B1-451B-9552-D5959BD029B2}
[2011/12/15 22:56:58 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{33C6210D-8E58-436E-BAD6-655C7564FFBC}
[2011/12/15 09:50:11 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{1B3BA571-1387-43AD-8474-91D4460B07AC}
[2011/12/15 09:49:50 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{24376A4C-E4F8-4D56-8363-0F9944903C37}
[2011/12/14 21:39:20 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{281D0DFD-1B88-478B-895E-D3C6C61AE122}
[2011/12/14 21:38:56 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{BC2ECA28-EB84-4B12-8085-CFCD6BC4FF08}
[2011/12/11 19:02:56 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Roaming\Babylon
[2011/12/11 19:02:56 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\Babylon
[2011/12/11 19:03:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer
[2011/12/11 19:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2011/12/10 22:48:17 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{F3D71014-AD41-4A72-990E-46518924900E}
[2011/12/10 22:47:23 | 000,000,000 | ---D | C] -- C:\Users\kasey\AppData\Local\{45914E97-EDB7-4DAF-976E-3917633B6D7D}
[2011/12/10 21:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[1 C:\Users\kasey\AppData\Local\*.tmp files -> C:\Users\kasey\AppData\Local\*.tmp -> ]
[1 C:\Users\kasey\*.tmp files -> C:\Users\kasey\*.tmp -> ]
[2012/01/02 12:19:07 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\ParetoLogic Update Version3.job
[2011/12/10 21:54:54 | 000,001,808 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\RossiListingPackage.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\rose.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\REO Craigslist.tif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\REO Craigslist.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\PlantMoroz.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\Plantation Co-Sponsor.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\McCarron_Lease_INVOICE[1].pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\Letter_to_Peter_Mellon_Real_Estate[1].pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\Lauraschool.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\invite.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\IndianSpringsDecal.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\hollodAdd1.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\hollodadd.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\grizwald.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\GetAttachment.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\fridge.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\foxpre.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\foxhighestoffer.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\C21 disclosureGabel.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\BOWLPOOL.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\Bowl_Pool_07_-_08_SORTED[1].xls:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\am012hseX.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\ak02a7y7X.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\aj03mce6X.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\Addendum_A_to_Contract_of_Sale.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\aaaa1jf9X.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\45304_Banff_Springs_Street___Addendum_No__1_-_10_01.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\2008_Masters_Golf.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\1234.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\kasey\Documents\123.pdf:Roxio EMC Stream
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:A6CD15C3
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1
[COLOR="DarkRed"]:services [/COLOR]
LiveUpdate
Automatic LiveUpdate Scheduler
SASDIFSV
SASKUTIL
[COLOR="DarkRed"]:files[/COLOR]
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys|c:\windows\system32\drivers\tdx.sys /replace
C:\Program Files\Symantec
C:\Program Files\Microsoft Security Client
C:\Program Files\Avira
C:\Program Files\Napster
C:\Program Files\Common Files\Symantec Shared
xcopy %temp%\smtmp\1 "%programdata%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%appdata%\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%programdata%\desktop" /s /i /h /y /c
[COLOR="DarkRed"]:reg[/COLOR]
[hklm\software\microsoft\windows\currentversion\run]
"NapsterShell"=-
"MSC"=-
"iTunesHelper"=-
"HP Software Update"=-
"avgnt"=-
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

It should be in the same directory you found OTL.txt

I have most of the information needed already so if you cannot find it it's not a big deal.

 

otl fix log and MGlogs

 

There was a syntax error in part of the last script. Run the below. When it reboots, test your internet.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\drivers\tdx.sys|C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys /replace

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Internet is working and everything seems much faster! Genius!

Logs attached

 

Great! :cool

Just a few minor traces left. After you complete this fix you should continue with the final cleanup steps outlined at the bottom of this post.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\kasey\AppData\Local\{01447e58-63b2-4be4-810f-539d5bbe53e4}
C:\Users\kasey\AppData\Local\{0da3d194-fd51-41b1-937e-77ef18fa2c09}
C:\Users\kasey\AppData\Local\{0ef601a6-ac95-44a5-b664-960273d0746b}
C:\Users\kasey\AppData\Local\{21ace7d0-3f00-4ae2-9df3-9beb6f2a1a2b}
C:\Users\kasey\AppData\Local\{24fd69fa-dd8c-48c9-a36f-5f49d5c271c6}
C:\Users\kasey\AppData\Local\{2c378169-25bb-4041-abac-bb21fc995cf0}
C:\Users\kasey\AppData\Local\{38489341-4c85-44d5-b035-bea7145912fd}
C:\Users\kasey\AppData\Local\{3bda344e-d4a4-4234-9d1a-c9e4e477bb81}
C:\Users\kasey\AppData\Local\{3db9bef1-62a8-477e-b04d-c3c2b610b2bc}
C:\Users\kasey\AppData\Local\{3e26c50c-8de7-476c-acc2-855146bce08d}
C:\Users\kasey\AppData\Local\{45a418a2-aa63-43c1-b2e7-59b07c1f482b}
C:\Users\kasey\AppData\Local\{48f73acd-102b-4b50-b990-59ff4ba53784}
C:\Users\kasey\AppData\Local\{49974990-ea67-4e6b-9a19-9fe493f17966}
C:\Users\kasey\AppData\Local\{50c0ac82-0739-4e04-b783-ffe7f3f1e762}
C:\Users\kasey\AppData\Local\{515b2883-965e-4cfb-97cb-7e6b6fced651}
C:\Users\kasey\AppData\Local\{561d62b7-a1c2-4fd1-9912-f47b90577c8a}
C:\Users\kasey\AppData\Local\{5aae684e-3211-4bed-9621-30e2e372737f}
C:\Users\kasey\AppData\Local\{5fc1afec-517c-4969-9148-80a09e981a2e}
C:\Users\kasey\AppData\Local\{651dc1e4-8893-4082-bed4-24e69f0ae480}
C:\Users\kasey\AppData\Local\{66771215-89e9-4107-bff6-1b22c6dbed5e}
C:\Users\kasey\AppData\Local\{671d5f70-b24b-4cfa-8274-145611662903}
C:\Users\kasey\AppData\Local\{68e74e57-8202-4f0b-880a-8028e95a064b}
C:\Users\kasey\AppData\Local\{69028728-fb17-42dc-8a52-03baff691081}
C:\Users\kasey\AppData\Local\{6d115fb6-bc8c-4703-a2b1-73499fa8aa67}
C:\Users\kasey\AppData\Local\{72aa5d6e-fa88-49dd-965c-2f60182ca88d}
C:\Users\kasey\AppData\Local\{793edbe4-25f5-415b-b161-a241b0600918}
C:\Users\kasey\AppData\Local\{7aeb90f8-12fa-439d-bf79-b2d439becd73}
C:\Users\kasey\AppData\Local\{83195d49-8eb0-4287-8fab-88714233f481}
C:\Users\kasey\AppData\Local\{8842906d-112e-4e07-b1fd-e133a3fdcbe4}
C:\Users\kasey\AppData\Local\{8be31a0a-02c0-4ad8-aff7-7509eae56805}
C:\Users\kasey\AppData\Local\{8d41f693-ae0b-4ac2-bde3-f7266dd01b7f}
C:\Users\kasey\AppData\Local\{902fd89c-3459-4766-a549-1b044f09804e}
C:\Users\kasey\AppData\Local\{9660253e-d3d5-4ece-b0f8-063c60adfd04}
C:\Users\kasey\AppData\Local\{97cfebaf-f340-41e3-9e41-d1abd7a5b328}
C:\Users\kasey\AppData\Local\{9b661237-bc6e-47c4-ab2d-3df2d1a628f0}
C:\Users\kasey\AppData\Local\{a455d848-c819-44e6-ab85-177310f3efb2}
C:\Users\kasey\AppData\Local\{b5e8efdb-79df-4976-9896-d601a849b352}
C:\Users\kasey\AppData\Local\{b7042a04-7646-46e6-af4a-a038cf02d554}
C:\Users\kasey\AppData\Local\{b7591110-aa3c-4e43-bb46-970b3341aee2}
C:\Users\kasey\AppData\Local\{bc280bac-9430-4aae-a00b-439370d28694}
C:\Users\kasey\AppData\Local\{be532838-0c33-40fc-904d-2cac6653a151}
C:\Users\kasey\AppData\Local\{c792d6ce-989e-440d-9797-329fdc19f548}
C:\Users\kasey\AppData\Local\{d4831f43-00b4-4289-8deb-26c6868d3979}
C:\Users\kasey\AppData\Local\{d57c4719-559d-4efb-866b-cab86d2a7df7}
C:\Users\kasey\AppData\Local\{da636b99-bac9-4da2-822e-2d5bd7669320}
C:\Users\kasey\AppData\Local\{e1f7ed87-b026-48ab-8382-a21e26e76e0b}
C:\Users\kasey\AppData\Local\{e335ac88-57fc-412b-a279-d6b7acedaff2}
C:\Users\kasey\AppData\Local\{e52d3fcf-ec7e-4dbc-aa12-e6685b807e7d}
C:\Users\kasey\AppData\Local\{e684e478-b041-401d-95ea-1b3d1bbf0008}
C:\Users\kasey\AppData\Local\{e7accba8-7116-400f-bb1b-911bb3ed7634}
C:\Users\kasey\AppData\Local\{ea16f52b-6a2f-4ace-baa3-022b332c86a3}
C:\Users\kasey\AppData\Local\{ebed228e-db3c-4522-b9d9-d21964deb2b5}
C:\Users\kasey\AppData\Local\{f1303e4b-363c-442d-aff5-34c61dbd08db}
C:\Users\kasey\AppData\Local\{fa07fffb-91dd-4635-b1ef-491da5e45cdf}
C:\Users\kasey\AppData\Local\{fe3fa82f-e35d-47d5-a7be-c07917b1ab43}
C:\Users\kasey\AppData\Local\{ff124bb4-fb9c-47af-887c-004e4d89b931}
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{74597C9E-EA23-4B62-BD01-C97123A5B6D9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{74597C9E-EA23-4B62-BD01-C97123A5B6D9}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__________________________________________________________________________

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

I had installed combofix with the other forum that I started with. They had me rename it commy.exe. During unistalled I assume I just do the same but replace comboefix with commy???

 

here is the OLT fix log

also, before I start cleaning up, can you tell me about this error that I get at startup. If it dosn't mean much, no biggy, it is only annoying:

wlstartup - Entry Point not found
The procedure entry point?GetHeight@CRMImage@@QBEHXZ could not be located in the dynamic library UXCore.dll.

 

Yes, that will work too.

Try uninstalling Windows Live Essentials

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/wlstartupexe-entry-point-not-found-in-windows-live/55aa850a-e2d3-4816-820f-5caf0a766b44

 

here is the OLT fix log

 

Looks good

 

during clean up, trying to wipe out system restore points, I get the following message:
could not create the schedualed task for the following reseason: Access is denied. (0x8007005)

I hit ok and then come back to the tab and the C drive is unticked

Not sure if the operation has completed??

 

I already made OTL delete your system restore points. All you need to do is create a new (clean) restore point.

 

Awsome, my system seems to be running great! I really appreciate your help, this service is awsome! what can I do to promote you guys?

I just have one more question about my system. Should I be concerned that the "HP_recovery (D: )" drive is almost full?

 

Tell your friends about us!

No. This is how HP designed their recovery partition