Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My hijackthis log file - Help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby sastoker » July 21st, 2007, 3:38 pm

Hello,

Here is the Combofix log:


"Amber" - 2007-07-21 13:50:44 - ComboFix 07-07-17.8 - Service Pack 2 FAT32


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\start.exe
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G2
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G4
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-21 13:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 23:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-20 23:23 <DIR> d-------- C:\Program Files\MSBuild
2007-07-20 23:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2007-07-20 23:12 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-20 23:10 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2007-07-20 22:49 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2007-07-20 22:49 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2007-07-20 22:49 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2007-07-20 15:44 1,007 --a------ C:\WINDOWS\mozver.dat
2007-07-20 15:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-17 21:31 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\Comodo
2007-07-17 21:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-17 21:28 <DIR> d-------- C:\Program Files\Comodo
2007-07-14 15:07 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-07-14 12:35 <DIR> d-------- C:\DOCUME~1\Amber\.housecall6.6
2007-07-14 12:12 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\TrojanHunter
2007-07-14 11:16 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-07-14 08:08 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-14 08:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-14 08:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-13 09:27 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-12 10:25 <DIR> d--hs---- C:\FOUND.000
2007-07-10 20:48 <DIR> d-------- C:\qrnt
2007-07-03 09:42 22,016 --a------ C:\WINDOWS\b138.exe
2007-06-27 21:48 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-06-26 20:25 1,844,173 ---hs---- C:\WINDOWS\SYSTEM32\jmppo.bak2
2007-06-25 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-25 18:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\backuped
2007-06-25 18:58 <DIR> d-------- C:\Program Files\True Sword 4
2007-06-25 18:58 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\True Sword
2007-06-25 18:43 6,369 ---hs---- C:\WINDOWS\SYSTEM32\jmppo.bak1
2007-06-24 19:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-24 17:04 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\System Tweaker
2007-06-24 15:14 <DIR> d-------- C:\Program Files\Uniblue
2007-06-24 15:14 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\Uniblue


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 15:22:40 2,180 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-19 01:48:04 8,224 ----a-w C:\DOCUME~1\Amber\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-10 00:27:20 630,200 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-10 00:27:18 108,392 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-02-01 01:19:34 27,671 ----a-w C:\Program Files\VCE_MSTI_uninstal.log
2000-10-13 21:56:50 271 --sh--w C:\Program Files\desktop.ini
2000-10-13 21:56:50 23,357 ---h--w C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-09-29 12:53 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2003-03-31 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"@"="" []
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-04-03 21:27]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-04-03 21:27]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2006-07-21 10:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-17 21:28]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Logitech Utility"="Logi_MwX.Exe" [2004-03-03 10:50 C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"MadExe"=C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
"LTWinModem1"=ltmsg.exe 9
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"LoadQM"=loadqm.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"Internat Conf"=\bootconf.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"Trickler"="c:\windows\temp\trickler_4010.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cfcf610-8224-11d9-9797-000c412668a2}]
AutoRun\command- F:\JDSecure\Windows\JDSecure20.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA
rundll rnasetup.dll,installoptionalcomponent rna

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-06-07 00:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job
2007-07-21 16:02:04 C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
2007-07-17 02:40:04 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
2007-06-27 02:27:36 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-07-17 02:31:18 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-12 02:02:42 C:\WINDOWS\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 13:57:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\AMBER\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 13:59:48
C:\ComboFix-quarantined-files.txt ... 2007-07-21 13:59

--- E O F ---

And here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:03 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Amber\Desktop\dumb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thanks!
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX
Advertisement
Register to Remove

Unread postby sastoker » July 22nd, 2007, 9:53 am

Hello,

I ran two scans overnight:

The first was Uniblue's Spyeraser, here is the log:

Start Date:July 21, 2007 at 10:54:32PM

End Date:July 22, 2007 at 12:09:21AM

Total Time:134 Mins 49 Secs
Detected Infections

Adware.Chiem.b
Details: Adware programs secretly embed themselves on the victim’s computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\qksrv.net\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\linksynergy.com\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\fastclick.net\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\commission-junction.com\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\bfast.com\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\fastclick.com\\

Trojan-spy.BZub.hv
Details: A Trojan Spy is a program that sits on the user’s PC in silence and logs keystrokes and other confidential information. This program traces down all the activities of the user, saves information on the hard disk and forwards it to the author. It is also capable of capturing system screen shots and is commonly used to embezzle banking and other financial information in order to encourage online fraud. As program permits the unauthorized collection, distortion, or obliteration of data, it can leave the system more vulnerable and cause damage to user’s data. It can also pose security and privacy threats to one’s system, needless to mention the damage it can cause to the important data and installed programs.
Status:No Action taken
Trojan-spy-Trojan-spy



Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\curr
entversion\control panel\load\\

Adware.BHO.t
Details: Adware programs secretly embed themselves on the victim’s computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected
hkey_users\.default\software\microsoft\internet ex
plorer\main\check_associations\

Bingofun
Details: An Adware Program displays ads on users PC, these ads can be in various forms including pop-ups, pop-unders, banners etc. These programs may track users browsing activities, change browsers homepage settings and may hijack search results.
Status:No Action taken
Adware-Adware



Infected files detected
c:\windows\system32\macromed\shockwave 8\xtras\animated gif asset.x32

Trojan-Downloader.Cryptic.gk
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user’s system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Trojan-Downloader-Trojan-Downloader



Infected files detected
c:\windows\$hf_mig$\kb918899\sp2qfe\urlmon.dll
c:\windows\ie7\urlmon.dll
c:\windows\ie7\urlmon.dll.000

Trojan-Downloader.Mediket.ch
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user’s system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Trojan-Downloader-Trojan-Downloader



Infected files detected
c:\windows\$hf_mig$\kb918899\sp2qfe\mshtml.dll
c:\windows\ie7\mshtml.dll
c:\windows\ie7\mshtml.dll.000

DigitalNames
Details: A Trojan is a destructive program that is often disguised as a useful application; which can be downloaded from the internet, can be installed through an exploit or can be sent through an email, for example "xyz.zip" would actually be "xyz.zip.exe" so as soon as the user tries to open "xyz.zip", the trojan would execute and infect the system. Depending on the type, these programs may create various security and stability related issues on the system. They may change or disable various applications.
Status:No Action taken
Browser Plug-In-Browser Plug-In



Infected files detected
c:\program files\installshield installation information\{c3abe126-2bb2-4246-bfe1-6797679b3579}\_setup.dll

ClickSpring.Oinadserver
Details: ClickSpring.Oinadserver is a browser plug-in that attaches a toolbar to the Internet Explorer browser. This adware application has a search function that facilitates to find out information about the keywords entered by the user. This application hijacks the browser settings and displays numerous pop-up advertisements on the computer based on the keywords entered by the user in order to promote third party advertising. It connects to the Internet, slows down the surfing speed and modifies the browser settings.
Status:No Action taken
Browser Plugin-Browser Plugin



Infected files detected
c:\system volume information\_restore{6db85663-c6fb-417e-8fc8-64d9bb299be9}\rp1042\a0239102.ico

Adware.AlexaBar.b
Details: Adware programs secretly embed themselves on the victim’s computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Adware-Adware



Infected files detected
c:\system volume information\_restore{6db85663-c6fb-417e-8fc8-64d9bb299be9}\rp1049\a0240580.dll
c:\system volume information\_restore{6db85663-c6fb-417e-8fc8-64d9bb299be9}\rp1049\a0240582.dll


Should I have the program delete these entries? (I haven't done anything yet)


Here is a CA anti-virus log:

Started scanning at 7/22/2007 12:00:11 AM. Engine Ver: 30.8.1. Sig Ver:3797. Sig Date: 7/20/2007.
C:\WINDOWS\SYSTEM32\config\system.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\software.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\default.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SECURITY - scan failed.
C:\WINDOWS\SYSTEM32\config\SAM - scan failed.
C:\WINDOWS\SYSTEM32\config\SAM.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SYSTEM - scan failed.
C:\WINDOWS\SYSTEM32\config\SOFTWARE - scan failed.
C:\WINDOWS\SYSTEM32\config\DEFAULT - scan failed.
C:\WINDOWS\SoftwareDistribution\EventCache\{329B0B8D-9980-49B1-B7A8-6E1C13A767A5}.bin - scan failed.
C:\Documents and Settings\NetworkService\ntuser.dat - scan failed.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\LocalService\ntuser.dat - scan failed.
C:\Documents and Settings\LocalService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\Amber\ntuser.dat - scan failed.
C:\Documents and Settings\Amber\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
Finished scanning at 7/22/2007 1:15:41 AM.

Thanks!
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 23rd, 2007, 7:23 am

Hi sastoker,


Step 1

Please download ERUNT from Aumha and follow Step 4 of this site to back up your registry.

After backing up your registry, please copy and paste the following in the Code box into Notepad:

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Trickler"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""


Click on File > Save As....

In the File Name box, copy and paste in fix.reg
In the Save as type box, select All Files from the drop-down list.

Click Save.

Double click on fix.reg. It will prompt you about merging. Click Yes.

Step 2

Please delete all files in this folder. Do not delete the whole folder.

C:\Windows\Temp

Step 3

Please download this Norton removal tool to remove the leftovers of Norton product.

Step 4

Please open HijackThis and select Do a system scan only.

Put a check (tick) next to these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank


Click Fix checked. Close HijackThis.

Step 5

Please re-run Combofix and post that log in your next reply.

As for the CA antivirus log, those files that failed scanning are because they are currently in use and Windows doesn't like them to be touched. They are safe, no worries. :)

The Spyeraser log are mostly fine. All the files detected are safe. Please read this review about Spyeraser. You may wish to remove it.

In your next reply, please post:

  1. The Combofix log
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 24th, 2007, 12:38 am

Hello,

Step 1 - Complete

Step 2 - Complete

Step 3 - Complete

Step 4 - Complete

Step 5 - see log below:


"Amber" - 2007-07-23 23:18:21 - ComboFix 07-07-17.8 - Service Pack 2 FAT32


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-21 13:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 23:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-20 23:23 <DIR> d-------- C:\Program Files\MSBuild
2007-07-20 23:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2007-07-20 23:12 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-20 23:10 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2007-07-20 22:49 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2007-07-20 22:49 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2007-07-20 22:49 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2007-07-20 15:44 1,007 --a------ C:\WINDOWS\mozver.dat
2007-07-20 15:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-17 21:31 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\Comodo
2007-07-17 21:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-17 21:28 <DIR> d-------- C:\Program Files\Comodo
2007-07-14 15:07 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-07-14 12:35 <DIR> d-------- C:\DOCUME~1\Amber\.housecall6.6
2007-07-14 12:12 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\TrojanHunter
2007-07-14 11:16 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-07-14 08:08 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-14 08:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-14 08:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-13 09:27 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-12 10:25 <DIR> d--hs---- C:\FOUND.000
2007-07-10 20:48 <DIR> d-------- C:\qrnt
2007-07-03 09:42 22,016 --a------ C:\WINDOWS\b138.exe
2007-06-27 21:48 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-06-26 20:25 1,844,173 ---hs---- C:\WINDOWS\SYSTEM32\jmppo.bak2
2007-06-25 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-25 18:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\backuped
2007-06-25 18:58 <DIR> d-------- C:\Program Files\True Sword 4
2007-06-25 18:58 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\True Sword
2007-06-25 18:43 6,369 ---hs---- C:\WINDOWS\SYSTEM32\jmppo.bak1
2007-06-24 19:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-24 17:04 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\System Tweaker
2007-06-24 15:14 <DIR> d-------- C:\Program Files\Uniblue
2007-06-24 15:14 <DIR> d-------- C:\DOCUME~1\Amber\APPLIC~1\Uniblue


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 15:45:14 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-23 15:45:14 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-07-21 15:22:40 2,180 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-19 01:48:04 8,224 ----a-w C:\DOCUME~1\Amber\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-02-01 01:19:34 27,671 ----a-w C:\Program Files\VCE_MSTI_uninstal.log
2000-10-13 21:56:50 271 --sh--w C:\Program Files\desktop.ini
2000-10-13 21:56:50 23,357 ---h--w C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-09-29 12:53 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2003-03-31 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"@"="" []
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-04-03 21:27]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-04-03 21:27]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2006-07-21 10:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-17 21:28]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Logitech Utility"="Logi_MwX.Exe" [2004-03-03 10:50 C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"MadExe"=C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
"LTWinModem1"=ltmsg.exe 9
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"LoadQM"=loadqm.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"Internat Conf"=\bootconf.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cfcf610-8224-11d9-9797-000c412668a2}]
AutoRun\command- F:\JDSecure\Windows\JDSecure20.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA
rundll rnasetup.dll,installoptionalcomponent rna

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-06-07 00:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job
2007-07-24 04:24:14 C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
2007-07-17 02:40:04 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
2007-06-27 02:27:36 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-07-17 02:31:18 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-12 02:02:42 C:\WINDOWS\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 23:24:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\AMBER\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 23:27:31
C:\ComboFix2.txt ... 2007-07-21 13:59
C:\ComboFix-quarantined-files.txt ... 2007-07-23 23:27

--- E O F ---


A new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:06 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Documents and Settings\Amber\Desktop\dumb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

I also got rid of the Uniblue SpyEraser program. Thanks for the advice.

Thanks!
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby sastoker » July 24th, 2007, 7:52 am

Hello again,

I was able to run the Kaspersky scan. (It appears that IE and my system overall is running much better after the fixes from last post).

So here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 24, 2007 5:44:57 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/07/2007
Kaspersky Anti-Virus database records: 367030
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan Statistics:
Total number of scanned objects: 101798
Number of viruses found: 5
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 02:15:17

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Program Files\2Wire\sst\VNC\MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\2Wire\sst\VNC\MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\2Wire\sst\VNC\MotVNC.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq18.tmp\opnste.dll Infected: Trojan-Clicker.Win32.VB.br skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Amber\ntuser.dat Object is locked skipped
C:\Documents and Settings\Amber\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Temp\~DF5A27.tmp Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Temp\Perflib_Perfdata_eb0.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Amber\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Amber\.housecall6.6\Quarantine\jkkki.dll.bac_a03856 Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\Documents and Settings\Amber\.housecall6.6\Quarantine\A0244022.exe.bac_a03856 Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1042\A0239106.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1042\A0239106.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1076\change.log Object is locked skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1049\A0240686.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1049\A0240686.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1049\A0240686.exe WiseSFX: infected - 2 skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 24th, 2007, 8:42 am

Hi sastoker,

Please delete this file.

C:\WINDOWS\b138.exe
C:\WINDOWS\SYSTEM32\jmppo.bak2
C:\WINDOWS\SYSTEM32\jmppo.bak1

Please delete all files in these folders. Do not delete the whole folder.

C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine
C:\Documents and Settings\Amber\.housecall6.6\Quarantine

Do you still have any other problems?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 25th, 2007, 10:05 pm

Hello,

I've deleted the folders/files as instructed.

I don't notice any other problems. I appreciate all of your help, it has been invaluable.

Just for one last check here is my recent Kaspersky log (since the file/folder deletions):


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 25, 2007 5:40:39 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/07/2007
Kaspersky Anti-Virus database records: 367430
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan Statistics:
Total number of scanned objects: 103254
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:12:10

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Program Files\2Wire\sst\VNC\MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\2Wire\sst\VNC\MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\2Wire\sst\VNC\MotVNC.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Amber\ntuser.dat Object is locked skipped
C:\Documents and Settings\Amber\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Temp\~DF2C11.tmp Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Temp\Perflib_Perfdata_32c.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\History\History.IE5\MSHist012007072420070725\index.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Amber\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1042\A0239106.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1042\A0239106.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1076\A0249926.dll Infected: Trojan-Clicker.Win32.VB.br skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1076\change.log Object is locked skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1049\A0240686.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1049\A0240686.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1049\A0240686.exe WiseSFX: infected - 2 skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Here is my latest CA antivirus log:



Started scanning at 7/25/2007 2:00:03 AM. Engine Ver: 31.1.0. Sig Ver:5003. Sig Date: 7/24/2007.
C:\WINDOWS\SYSTEM32\config\system.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\software.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\default.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SECURITY - scan failed.
C:\WINDOWS\SYSTEM32\config\SAM - scan failed.
C:\WINDOWS\SYSTEM32\config\SAM.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SYSTEM - scan failed.
C:\WINDOWS\SYSTEM32\config\SOFTWARE - scan failed.
C:\WINDOWS\SYSTEM32\config\DEFAULT - scan failed.
C:\Documents and Settings\NetworkService\ntuser.dat - scan failed.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\LocalService\ntuser.dat - scan failed.
C:\Documents and Settings\LocalService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\Amber\ntuser.dat - scan failed.
C:\Documents and Settings\Amber\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\Amber\Local Settings\Temp\Perflib_Perfdata_32c.dat - scan failed.
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\Amber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
Finished scanning at 7/25/2007 3:06:47 AM.


And here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:08:06 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Amber\Desktop\dumb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thanks!
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 26th, 2007, 5:16 am

Hi sastoker,

Do you use VNC to remotely control your computers on your home network? Or do you have a 2Wire router/modem which comes with a VNC software?

They are being picked up by the Kaspersky scan. As VNC is able to remotely control a computer, it needs to be used with care.

If the answer to both questions are no, please remove this folder.

C:\Program Files\2Wire

Other than that, you are clean. :D

Please delete these files and folders as you no longer need them.

VundoFix.exe (on your desktop)
C:\VundoFix.txt
ComboFix.exe (on your desktop)
C:\Qoofix

Here are some tips to prevent a re-infection. :)

Hide system files

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Do not show hidden files and folders.
  6. Check (tick) Hide extensions of known file types.
  7. Check (untick) Hide protected operating system files (Recommended).
  8. Click OK.
  9. Close My Computer.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click OK.
  5. Restart your computer.
After restarting your computer, follow these steps:

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Uncheck (untick) Turn off system restore on all drives box.
  4. Click OK.
  5. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be
informed of updates. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Java is another program that updates regularly to fix bug issues and loopholes in it. Here's the instructions for updating Java:

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE). Click on Download.
  3. Select Accept License Agreement. The page will refresh.
  4. Click on Windows Offline Installation, Multi-language and save it to a convenient location.
  5. Run this installation to update your Java.
Remember to remove all previous versions of Java when you update it to a new version to prevent exploitation of the older versions left on your system.

Besides Windows and Java that need regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

  1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  2. Never open emails from unknown senders.
  3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Make your Internet Explorer safer

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Spyware Blaster
    SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

    You can download SpywareBlaster from Javacool.

    If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
  2. SpywareGuard
    Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

    You can download SpywareGuard from Javacool.

    If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.
  3. IE-SPYAD
    IE-SPYAD adds over 5000 sites to your Internet Explorer restricted zone so that you will be protected if the website turns out to be a bad one. Sites that are in the restricted zone of Internet Explorer can't have any scripts ran, no downloads and cookies. However, you can still connect to these sites.

    You can download IE-SPYAD from Spyware Warrior. Be sure to read the whole website carefully for instructions on usage of IE-SPYAD.

    A tutorial for IE-SPYAD can be found at Bleeping Computer.
  4. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Castlecops.
  5. Lavasoft Ad-Aware
    Ad-Aware is an anti-spyware program. Like your antivirus program, please run an Ad-Aware scan at least once per week.

    Ad-Aware can be downloaded from here.

    If you need help in using Ad-Aware, you can read Ad-Aware's tutorial at Bleeping Computer.
  6. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.
  7. a-squared Free
    a-squared Free is also another program for scanning spywares and adwares. It doesn't have preventive features like Spybot Search & Destroy though.

    You can download a-squared Free from here.
  8. CounterSpy
    CounterSpy is pretty much like Spybot Search & Destroy, but it isn't free.
    You can try CounterSpy for 15 days.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs. This will save you from a lot of trouble. If in doubt, don't ever download it.
  9. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
  10. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.


Use an alternative Internet Browser

Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead.

Firefox
Opera
K-Meleon

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird or Pegasus Mail instead.

Here are some more things to read about:

List of clean and infected download managers
Configuring Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
The Unofficial Cookie FAQ
Securing your home wireless network
80 Super Security Tips
The different classes of security softwares
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby Rogue » July 28th, 2007, 2:29 pm

Since this issue appears resolved ... this topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware