Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Vundo Problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Vundo Problem

Unread postby karoath » July 5th, 2007, 9:11 pm

Hello, I've recently discovered that I have the Vundo Trojan on my machine. I have Norton installed and it keeps spotting the files, but can not quarantine or remove the files. I also tried the following programs to remove the trojan... Ad-Aware, VundoFix, TrojanHunter, and Spybot. None seem to do anything with the files. I was wondering if someone could help me find a way to remove Vundo. I've including a HijackThis log file below. Thanks in advance for any help that you may provide.

Logfile of HijackThis v1.99.1
Scan saved at 9:09:00 PM, on 7/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\AdAware\aawservice.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\NavNT\vptray.exe
D:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\mdm.exe
D:\Program Files\Trojan Hunter\THGuard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Netscp.exe
C:\WINNT\system32\HPZipm12.exe
C:\Documents and Settings\bdewald\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1361D9A2-7CF7-4A12-87F6-7C05434EF383} - C:\WINNT\system32\iifdc.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {8BA1B2E0-2B6D-4F07-B47B-7742ED065D28} - \
O2 - BHO: (no name) - {D8DD7C10-1A30-4733-985C-A6EB64DB7FC0} - C:\Program Files\microsoft frontpage\metovoduq43855.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\Trojan Hunter\THGuard.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9C067857-2267-40F9-9E58-62B63D4CD20D} (ProtectWorkbookM.ProtectWorkbookModify) - file://C:\SW_IMPORT\vidya test\ProtectWorkbookMod.ocx
O16 - DPF: {DCD1BD7A-F11C-4189-B6CF-AA15412A9E6E} (ProtectWorkBookO.ProtectWorkBookOpen) - http://tokyo/images/ProtectWorkbookOpen.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gotham.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: iifdc - C:\WINNT\system32\iifdc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: urqomml - urqomml.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\AdAware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm
Advertisement
Register to Remove

Unread postby Trogan » July 6th, 2007, 5:35 am

Hi karoath, and welcome to Malware Removal! :)

Three things:

1. I don't see any indication of a Firewall in your HijackThis log. This may be because:

(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.

In the case you don't have a Firewall, please download one from the list below - They are Free!

Comodo
Zone Alarm
Sunbelt Kerio PF
Outpost Firewall

2. You said you ran VundoFix. If so, it would have created a log at C:\VundoFix.txt. Please locate this and post it back here.

3. I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.

Please post the VundoFix log, along with the uninstall list and a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby karoath » July 6th, 2007, 6:50 pm

Thanks for the rapid response! Each time I click "Save List" in HijackThis, the program closes without giving me an option for the save location. I checked the desktop and could not find any new files. Any ideas about this problem? The VundoFix log is displayed below. I do not currently have a firewall installed. I am using a wireless router with WEP encryption from NetGear to connect to the internet, though. If I install a firewall, will it interfere with my normal computer usage? I've often heard that a software firewall interferes with internet browsing as well as other operations. Thanks again for the help!


VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:38:08 PM 7/5/2007

Listing files found while scanning....

C:\WINNT\system32\cdfii.bak1
C:\WINNT\system32\cdfii.bak2
C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.tmp
C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\urqomml.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cdfii.bak1
C:\WINNT\system32\cdfii.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\cdfii.bak2
C:\WINNT\system32\cdfii.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\cdfii.tmp
C:\WINNT\system32\cdfii.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:52:26 PM 7/5/2007

Listing files found while scanning....

C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\iifdc.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby Trogan » July 7th, 2007, 6:48 am

Hi karoath,

No, a software Firewall will not interfere with Internet activities. The only time a Firewall will interfere is when something it does not recognise tries to gain access to or from your computer; you then have accept or deny access. You really need to install a Firewall for your protection. I suggest Comodo; very easy to use and does a fantastic job.

Before we begin, you have HijackThis.exe (dynamite icon) on your Desktop. This is fine, but it is better for HijackThis to be in its own folder so backups can safely be created. Please do this now.

Please do the following...

1. We need to run VundoFix again, but slightly different than before.
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click Add more file?
  • Copy & Paste the following entry below into the top box

    • C:\WINNT\system32\iifdc.dll
  • Click Add Files and click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.

2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: (no name) - {1361D9A2-7CF7-4A12-87F6-7C05434EF383} - C:\WINNT\system32\iifdc.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)

O2 - BHO: (no name) - {8BA1B2E0-2B6D-4F07-B47B-7742ED065D28} - \
O2 - BHO: (no name) - {D8DD7C10-1A30-4733-985C-A6EB64DB7FC0} - C:\Program Files\microsoft frontpage\metovoduq43855.dll (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab

O20 - Winlogon Notify: iifdc - C:\WINNT\system32\iifdc.dll
O20 - Winlogon Notify: urqomml - urqomml.dll (file missing)


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Now try getting the Uninstall list, as mentioned in my first post

4. Please post the new VundoFix.txt, along with a new HijackThis log and the Uninstall list.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby karoath » July 7th, 2007, 10:14 am

I just finished installing comodo on the machine. I ran VundoFix and it seems to fail again. The log is shown below. With HijackThis, the following entires did not appear when I did a system scan...

O2 - BHO: (no name) - {1361D9A2-7CF7-4A12-87F6-7C05434EF383} - C:\WINNT\system32\iifdc.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)

O2 - BHO: (no name) - {8BA1B2E0-2B6D-4F07-B47B-7742ED065D28} - \
O2 - BHO: (no name) - {D8DD7C10-1A30-4733-985C-A6EB64DB7FC0} - C:\Program Files\microsoft frontpage\metovoduq43855.dll (file missing)

O20 - Winlogon Notify: iifdc - C:\WINNT\system32\iifdc.dll
O20 - Winlogon Notify: urqomml - urqomml.dll (file missing)

I performed the Fix Checked option on the other files, though. See the attached log file below. HiJackThis still closes when I try to save the uninstall list again.

VUNDOFIX LOG

VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:38:08 PM 7/5/2007

Listing files found while scanning....

C:\WINNT\system32\cdfii.bak1
C:\WINNT\system32\cdfii.bak2
C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.tmp
C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\urqomml.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cdfii.bak1
C:\WINNT\system32\cdfii.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\cdfii.bak2
C:\WINNT\system32\cdfii.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\cdfii.tmp
C:\WINNT\system32\cdfii.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:52:26 PM 7/5/2007

Listing files found while scanning....

C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\iifdc.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cdfii.ini
C:\WINNT\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\iifdc.dll
C:\WINNT\system32\iifdc.dll Could not be deleted.

Performing Repairs to the registry.
Done!



HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 10:06:13 AM, on 7/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\AdAware\aawservice.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\NavNT\vptray.exe
D:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Trojan Hunter\THGuard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\mdm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\HPZipm12.exe
D:\Program Files\HiJackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\Trojan Hunter\THGuard.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9C067857-2267-40F9-9E58-62B63D4CD20D} (ProtectWorkbookM.ProtectWorkbookModify) - file://C:\SW_IMPORT\vidya test\ProtectWorkbookMod.ocx
O16 - DPF: {DCD1BD7A-F11C-4189-B6CF-AA15412A9E6E} (ProtectWorkBookO.ProtectWorkBookOpen) - http://tokyo/images/ProtectWorkbookOpen.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gotham.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\AdAware\aawservice.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo Firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)

Thanks for the help so far!
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby karoath » July 7th, 2007, 10:33 am

Whoops! I had temporarily disabled Norton Real Time Protection to stop the insane number of messages it was giving. I reenabled and tried HijackThis once again. The missing entries were now displayed and I clicked Fix again. I think it may have worked on all of the files, except for the iifdc.dll entries (at a quick glance). I posted the log below. I also tried the uninstall list again and it worked this time, also listed below. Sorry about the confusion!

HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 10:26:44 AM, on 7/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\AdAware\aawservice.exe
D:\Program Files\Comodo Firewall\Comodo\Firewall\cmdagent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\NavNT\vptray.exe
D:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Trojan Hunter\THGuard.exe
D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\HPZipm12.exe
D:\Program Files\HiJackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {CAEA4E4B-2FD0-4F2F-B0C3-AE4D616EA82B} - C:\WINNT\system32\iifdc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\Trojan Hunter\THGuard.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9C067857-2267-40F9-9E58-62B63D4CD20D} (ProtectWorkbookM.ProtectWorkbookModify) - file://C:\SW_IMPORT\vidya test\ProtectWorkbookMod.ocx
O16 - DPF: {DCD1BD7A-F11C-4189-B6CF-AA15412A9E6E} (ProtectWorkBookO.ProtectWorkBookOpen) - http://tokyo/images/ProtectWorkbookOpen.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gotham.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: iifdc - C:\WINNT\system32\iifdc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\AdAware\aawservice.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo Firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)

HIJACKTHIS UNINSTALL LIST
7-Zip 4.23
ActivePerl 5.8.6 Build 811
Ad-Aware 2007
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.8
Ancient Castle 3D Screensaver 1.0
Anvil Studio
Arachnophilia version 4.0
Army Builder V2.2c
a-squared Free 3.0
Assassin
Blender (remove only)
Campaign Cartographer 2
Christmas 3D Screensaver 1.0
COMODO Firewall Pro
DirectX 9 Hotfix - KB839643
DivX
DivX Player
EAX(tm) Unified (SHELL)
gPhotoShow v1.5.0
HijackThis 1.99.1
Hotfix for MDAC 2.81 (KB927779)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
InterVideo WinDVD 4
Iomega App Services
Iomega HotBurn
IrfanView (remove only)
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.2_06
Java Web Start
Jewel Quest (remove only)
Lantern 3D Screensaver 1.0
Lippincott's Review for NCLEX-RN 8th Edition
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Micrografx Picture Publisher 8
Micrografx Simply 3D 3
Micrografx Webtricity 2
Micrografx Windows Draw 6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 2000 Professional
Microsoft Office 2003 Web Components
Microsoft Office Small Business Accounting 2006
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser and SDK
Mini Python Pack 1.5.1
Mozilla Firefox (1.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Netscape (7.1)
Norton AntiVirus Corporate Edition
NVIDIA Windows 2000/XP Display Drivers
OLYMPUS CAMEDIA Master 1.2
overland
Poser 4
Python 2.3.5
Quake II
QuickTime
RealPlayer
Remote Desktop Connection
R-Undelete v2.1
Screen Paver Screen Saver
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
sforce 5.0 Quick-Start
Spirit of Fire 3D Screensaver 2.4
Spybot - Search & Destroy 1.4
Syberia
Terragen
The One Ring 3D Screensaver 1.0
TrojanHunter 4.7
Turbo Lister
Update Rollup 1 for Windows 2000 SP4
Winamp (remove only)
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix (SP5) Q818043
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
Winupdate
WinZip
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby Trogan » July 7th, 2007, 2:58 pm

Hi karoath! Hmm...that file is being stubborn!

Before we begin, can I ask you to either disable or shut down Trojan Hunter while we work to clean the computer. This will ensure that we do not run into any troubles along the way.

Please do the following...

1. Lets get that file uploaded so it can be added to VundoFix.
  • Go here to Upload Malware
  • Fill out the information, and post a link to this thread.
  • In the File(s) To Submit: box 1. copy and paste the following:
    • C:\WINNT\system32\iifdc.dll
  • Click on Send File and close the page
2. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • Java 2 Runtime Environment, SE v1.4.1_02
    • Java 2 Runtime Environment, SE v1.4.2_04
    • Java 2 Runtime Environment, SE v1.4.2_05
    • Java 2 SDK, SE v1.4.2_06
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

3. Download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

4. Please post the ComboFix log, along with a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby karoath » July 8th, 2007, 11:12 pm

Performed all of the above tasks. I've also attached the requested logs below...

COMBOFIX LOG:
"bdewald" - 2007-07-08 22:35:53 - ComboFix 07-07-09.3 - Service Pack 4


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-08 09:07 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_278.dat
2007-07-08 08:57 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-07 10:19 <DIR> d-------- C:\DOCUME~1\bdewald\APPLIC~1\Comodo
2007-07-07 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-07 10:17 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_328.dat
2007-07-07 10:15 1,104 --a------ C:\vpwaf.dat
2007-07-05 20:38 <DIR> d-------- C:\VundoFix Backups
2007-07-05 20:33 <DIR> d-------- C:\!KillBox
2007-07-05 06:31 <DIR> d-------- C:\DOCUME~1\bdewald\APPLIC~1\TrojanHunter
2007-07-04 17:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-04 13:08 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC28SP1-KB927779-x86-ENU$
2007-07-04 12:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-04 12:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 20:52 <DIR> d-------- C:\Program Files\Assassin
2007-07-01 09:09 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-07-01 08:58 <DIR> d-------- C:\DOCUME~1\bdewald\.housecall6.6
2007-06-21 22:35 <DIR> d-a------ C:\WINNT\system32\S7
2007-06-21 22:35 <DIR> d-a------ C:\WINNT\system32\S4
2007-06-21 22:35 <DIR> d-a------ C:\WINNT\system32\S2
2007-06-21 22:35 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 02:33:44 -------- d---a-w C:\Program Files\NavNT
2007-07-08 05:01:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-04 16:05:19 -------- d-----w C:\Program Files\Savers
2007-07-04 15:54:47 -------- d-----w C:\Program Files\Symantec
2007-07-04 15:53:47 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-01 00:51:56 -------- d-----w C:\Program Files\microsoft frontpage
2007-06-24 03:41:36 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-24 02:54:58 66,285 ----a-w C:\WINNT\system32\nvModes.dat
2007-06-04 19:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-01 01:15:57 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-06-01 01:09:34 -------- d-----w C:\DOCUME~1\bdewald\APPLIC~1\AdobeUM
2007-05-12 15:32:02 -------- d-----w C:\Program Files\DOSBox-0.70
2007-05-12 15:25:36 -------- d-----w C:\Program Files\MAGIC
2007-05-12 02:22:20 29,475 ----a-w C:\WINNT\hpoins03.dat
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2000-07-26 12:00:00 94,784 --sh--w C:\WINNT\twain.dll
2000-07-26 12:00:00 44,816 --sh--w C:\WINNT\twain_32.dll
2003-06-19 19:05:04 1,015,859 --sh--w C:\WINNT\system32\mfc42.dll
2000-07-26 12:00:00 77,878 --sh--w C:\WINNT\system32\msvcirt.dll
2000-08-29 06:19:16 401,462 --sha-w C:\WINNT\system32\msvcp60.dll
2003-06-19 19:05:04 286,773 --sh--w C:\WINNT\system32\msvcrt.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05-05-31 01:04 853672 --a------ D:\PROGRA~1\Spybot\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
07-06-14 18:32 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLANSTA.EXE"="WLANSTA.exe" [02-03-12 05:23 C:\WINNT\system32\WLANSTA.exe]
"nwiz"="nwiz.exe" [03-06-24 19:32 C:\WINNT\system32\nwiz.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [01-09-24 07:59 ]
"Drag'n'Drop_Autolaunch"="D:\Program Files\Iomega HotBurn\Autolaunch.exe" [01-11-19 14:39 ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05-01-12 15:54 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-02-17 00:11 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe]
"THGuard"="D:\Program Files\Trojan Hunter\THGuard.exe" [07-06-23 00:19 ]
"COMODO Firewall Pro"="D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe" [07-07-07 09:59 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-06-14 18:32 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Dialer (OnStartup).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk
backup=C:\WINNT\pss\VPN Dialer (OnStartup).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^bdewald.GOTHAM^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]
path=C:\Documents and Settings\bdewald.GOTHAM\Start Menu\Programs\Startup\Hewlett-Packard Recorder.lnk
backup=C:\WINNT\pss\Hewlett-Packard Recorder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]
C:\WINNT\alchem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwaswy]
C:\WINNT\system32\yemlar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge]
c:\winnt\system32\rlvknlg.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\satmat]
C:\WINNT\satmat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
C:\WINNT\wupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 22:43:20
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-08 22:44:17
C:\ComboFix-quarantined-files.txt ... 07-07-08 22:43

--- E O F ---


HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 11:10:08 PM, on 7/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\AdAware\aawservice.exe
D:\Program Files\Comodo Firewall\Comodo\Firewall\cmdagent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\NavNT\vptray.exe
D:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Netscape\Netscp.exe
D:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\Trojan Hunter\THGuard.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9C067857-2267-40F9-9E58-62B63D4CD20D} (ProtectWorkbookM.ProtectWorkbookModify) - file://C:\SW_IMPORT\vidya test\ProtectWorkbookMod.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {DCD1BD7A-F11C-4189-B6CF-AA15412A9E6E} (ProtectWorkBookO.ProtectWorkBookOpen) - http://tokyo/images/ProtectWorkbookOpen.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gotham.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gotham.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\AdAware\aawservice.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo Firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby Trogan » July 9th, 2007, 5:14 am

Hi karoath! Goob job! :)

The ComboFix log is showing a lot of adware/spyware files.

Please do the following...

Open Notepad and copy/paste the text in the Quote Box below into it:

File::
C:\WINNT\system32\yemlar.exe
c:\winnt\system32\rlvknlg.exe
C:\WINNT\retadpu1000106.exe
C:\WINNT\alchem.exe
C:\WINNT\satmat.exe
C:\WINNT\wupdt.exe

Folder::
C:\WINNT\system32\S7
C:\WINNT\system32\S4
C:\WINNT\system32\S2
C:\PROGRA~1\NEWDOT~1
C:\Program Files\Outerinfo
C:\Program Files\Java\j2re1.4.2_05
C:\Program Files\Common files\updater
C:\Program Files\Web Buying
C:\Program Files\WinPop

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwaswy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\satmat]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]

Save this as CFScript to your Desktop!

Image

Refering to the picture above, drag CFScript into ComboFix.exe
A new log will be created (CFScript.txt), please post that back here.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby karoath » July 9th, 2007, 9:47 pm

Here we go... let's hope this helps!

COMBOFIX LOG:
"bdewald" - 07/09/2007 19:05:29 - ComboFix 07-07-09.3 - Service Pack 4
Command switches used :: C:\Documents and Settings\bdewald\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Java\j2re1.4.2_05
C:\Program Files\Java\j2re1.4.2_05\lib\applet\WMPNS.jar
C:\Program Files\Java\j2re1.4.2_05\lib\ext\QTJava.zip
C:\WINNT\system32\S2
C:\WINNT\system32\S2\mwspasrt83122.exe
C:\WINNT\system32\S4
C:\WINNT\system32\S4\wen2.exe
C:\WINNT\system32\S7


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-08 23:24 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_20c.dat
2007-07-08 23:14 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_330.dat
2007-07-08 23:13 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_28c.dat
2007-07-08 08:57 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-07 10:19 <DIR> d-------- C:\DOCUME~1\bdewald\APPLIC~1\Comodo
2007-07-07 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-07 10:15 1,104 --a------ C:\vpwaf.dat
2007-07-05 20:38 <DIR> d-------- C:\VundoFix Backups
2007-07-05 20:33 <DIR> d-------- C:\!KillBox
2007-07-05 06:31 <DIR> d-------- C:\DOCUME~1\bdewald\APPLIC~1\TrojanHunter
2007-07-04 17:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-04 13:08 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC28SP1-KB927779-x86-ENU$
2007-07-04 12:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-04 12:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 20:52 <DIR> d-------- C:\Program Files\Assassin
2007-07-01 09:09 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-07-01 08:58 <DIR> d-------- C:\DOCUME~1\bdewald\.housecall6.6
2007-06-21 22:35 <DIR> d-------- C:\Temp
2007-06-07 19:01 <DIR> d-a------ C:\WINNT\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 02:33:44 -------- d---a-w C:\Program Files\NavNT
2007-07-08 05:01:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-04 16:05:19 -------- d-----w C:\Program Files\Savers
2007-07-04 15:54:47 -------- d-----w C:\Program Files\Symantec
2007-07-04 15:53:47 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-01 00:51:56 -------- d-----w C:\Program Files\microsoft frontpage
2007-06-24 03:41:36 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-24 02:54:58 66,285 ----a-w C:\WINNT\system32\nvModes.dat
2007-06-04 19:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-01 01:15:57 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-06-01 01:09:34 -------- d-----w C:\DOCUME~1\bdewald\APPLIC~1\AdobeUM
2007-05-12 15:32:02 -------- d-----w C:\Program Files\DOSBox-0.70
2007-05-12 15:25:36 -------- d-----w C:\Program Files\MAGIC
2007-05-12 02:22:20 29,475 ----a-w C:\WINNT\hpoins03.dat
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2000-07-26 12:00:00 94,784 --sh--w C:\WINNT\twain.dll
2000-07-26 12:00:00 44,816 --sh--w C:\WINNT\twain_32.dll
2003-06-19 19:05:04 1,015,859 --sh--w C:\WINNT\system32\mfc42.dll
2000-07-26 12:00:00 77,878 --sh--w C:\WINNT\system32\msvcirt.dll
2000-08-29 06:19:16 401,462 --sha-w C:\WINNT\system32\msvcp60.dll
2003-06-19 19:05:04 286,773 --sh--w C:\WINNT\system32\msvcrt.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
01/12/06 08:38p 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05/31/05 01:04a 853672 --a------ D:\PROGRA~1\Spybot\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
06/14/07 06:32p 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLANSTA.EXE"="WLANSTA.exe" [03/12/02 05:23a C:\WINNT\system32\WLANSTA.exe]
"nwiz"="nwiz.exe" [06/24/03 07:32p C:\WINNT\system32\nwiz.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/01 07:59a]
"Drag'n'Drop_Autolaunch"="D:\Program Files\Iomega HotBurn\Autolaunch.exe" [11/19/01 02:39p]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/05 03:54p]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/17/05 12:11a]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"THGuard"="D:\Program Files\Trojan Hunter\THGuard.exe" [06/23/07 12:19a]
"COMODO Firewall Pro"="D:\Program Files\Comodo Firewall\Comodo\Firewall\CPF.exe" [07/07/07 09:59a]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [06/14/07 06:32p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Dialer (OnStartup).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk
backup=C:\WINNT\pss\VPN Dialer (OnStartup).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^bdewald.GOTHAM^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]
path=C:\Documents and Settings\bdewald.GOTHAM\Start Menu\Programs\Startup\Hewlett-Packard Recorder.lnk
backup=C:\WINNT\pss\Hewlett-Packard Recorder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 19:09:03
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/09/2007 19:09:44
C:\ComboFix-quarantined-files.txt ... 07/09/07 07:09p
C:\ComboFix2.txt ... 07/08/07 10:44p

--- E O F ---
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby Trogan » July 10th, 2007, 7:28 am

Hi karoath,

Your logs are clean now? Anymore problems?

If not, then we can wrap this up in the next. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby karoath » July 11th, 2007, 8:15 pm

Sounds great... this was a huge help! I would have never figured out how to get rid of those nasties. I just wish I knew where they came from. The only problem I am now seeing occurs when the computer is running, but I am logged off. I see the following error message pop up numerous times from the login screen.

sfupdate.exe - Application Error Instruction at 0x006f0064 reference memory 0x006f0064 . The memory could not be read.

I hope the text is verbatim... I tried a print screen from the login area, but it didn't seem to copy the image into memory. This doesn't appear to be a big issue since the computer seems to run fine (in fact much faster since the malware has been removed). Let me know if you've seen this before. Thanks again for the help!
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby Trogan » July 12th, 2007, 10:36 am

Hi karoath,

Glad to hear the computer is running much faster.

Regarding the error, I have never seen it before, and I cannot find much info regarding the sfupdate.exe file. I would like you to do a search for it:

Click Start > Search > All Files and Folders.
Expand More advanced options and make sure these boxes are checked
  • Search system folders
  • Search hidden files and folders
  • Search subfolders
Paste the following into the Search box at the top, and click Search

sfupdate.exe

If found, do 2 things please:
  1. Tell me all the locations found for the file e.g. C:\Windows\System32
  2. Right-click the file and select Properties. Go to the Version tab. Let me know what is listed, especially for the Company section.

Let me know what you find out. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby karoath » July 13th, 2007, 9:42 pm

Sorry about the slow responses... I've been very busy lately. I could not find any instances of the file anywhere on my computer. I did a quick search on Yahoo and discovered numerous references to a game called StarForce. I am not familiar with the game, but the file may be somehow related. It looks like the error message will have to remain! Ah well, at least the system is clean and the error is not interfering with anything else. Once again, thanks for the help... you've made my computer much better! I certainly appreciate your time.
karoath
Active Member
 
Posts: 8
Joined: July 5th, 2007, 9:02 pm

Unread postby Trogan » July 14th, 2007, 8:47 am

You're welcome! :)

Let me know if we can archive this thread.

__________________________________

Here are some tips for a clean and secure computer.

For XP users.
It's a good idea to Flush your System Restore points after ridding yourself of malware. You can clean this by doing the following:

  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click OK
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • Internet Explorer 7 users: Check all other items and make sure that they meet the (recommended) setting when applies.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the
    settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Keep your Sun Java up to date

The most current version of Sun Java is: Java Runtime Environment Version 6.0
http://java.sun.com/javase/downloads/index.jsp

  • Scroll down to where it says Java Runtime Environment (JRE) 6.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
And in the future, remember to remove older versions of Java when you update to a newer version to avoid exploitation of older versions left on your system.

Free programs that may help you in keeping the PC clean

  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites...sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's HostsManager here
Free Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright Foistware.
You will find the list here

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.

  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
  • Fraudulent claims or scams
  • Offensive material
  • Security vulnerabilities
  • Spyware or Adware
  • Spam related material
  • or other content deemed to be unsafe

Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malwareremoval.com/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malwareremoval.com/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Happy Surfing! :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 72 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware