Free Malware Removal Forum

[deltalima]

Hi pimse,

Alcohol 120 is installed on this computer

After extensive research, I have found that the visible symptoms – system slowdown, evidence of mbr rootkit and atapi.sys locked can be caused by Alcohol 120

If you have the license key necessary to reinstall Alcohol 120 then please uninstall it, reboot and then run look.bat.

If this still indicates a rootkilt infected mbr then please reboot into the Recovery Console and run fixmbr then reboot to normal mode and run look.bat.

Please post the results from look.bat in your next reply.

[pimse]

Alcohol is uninstalled now

Lookbat log after reboot:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ABFB1E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8abfb1e0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !


fixmbr resulted in a successfully written mbr, but the log looks like:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A91AA08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a91aa08
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !

It seems to be a real hard one to disinfect.

pimse

[pimse]

Is this of any interest?

Nod 32 blocked some activity for a moment ago. No human activity, the computer did by itself.

pimse

2010-05-01 00:22:34 Skydd av filsystemet i realtid fil I:\System Volume Information\_restore{7B30D386-0AB8-40E9-B39E-39546D579238}\RP94\A0040454.exe en variant av Win32/Adware.ADON Potentiellt oönskat program borttagen NT AUTHORITY\SYSTEM Uppstod på en fil som ändrades av programmet: C:\WINDOWS\system32\svchost.exe.



2010-05-01 00:22:21 Skydd av filsystemet i realtid fil G:\System Volume Information\_restore{7B30D386-0AB8-40E9-B39E-39546D579238}\RP94\A0040452.exe troligen en variant av Win32/Agent trojan borttagen - i karantän NT AUTHORITY\SYSTEM Uppstod på en fil som ändrades av programmet: C:\WINDOWS\system32\svchost.exe.

[deltalima]

Hi pimse,

It seems to be a real hard one to disinfect.

Indeed it does, we will fix it eventually.

Let's keep Alcohol off for now as we can reinstall once all is sorted.

It's a holiday weekend in the UK so I will be away from home with slow Internet access but be assured that I will keep with this problem until it is resolved (my replies may be limited until Monday).

Let's set a new baseline to work from after the changes we have made so far, please run a new Combofix scan and post the log.

[pimse]

I think there is one thing you should know.
My concern about my computer is not C:, the systempartition. It is the other partitions my concern is about.

I got a image of C:, so I am able to restore it to somewhat status like it is now.
It is possible i must do so after the third run of Combofix if the going follows the earlier pattern.

pimse

[deltalima]

Hi pimse,

Nod 32 blocked some activity for a moment ago.

Please also run a quick scan with Malwarebytes and post the log.

[pimse]

Here's the latest combofix log, and not the slightest trouble to get it!

ComboFix 10-04-30.01 - Per 2010-05-01 2:00.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3197.2812 [GMT 2:00]
Running from: c:\documents and settings\Per\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-30 14:07 . 2010-04-30 14:07 -------- d-----w- C:\rsit
2010-04-29 20:07 . 2006-08-16 17:26 57344 ----a-w- c:\windows\system32\SM4725CI.dll
2010-04-29 20:07 . 2006-08-16 17:26 151552 ----a-w- c:\windows\system32\SM4725CI.exe
2010-04-29 20:07 . 2006-08-16 17:26 22663 ----a-w- c:\windows\system32\scx425lk.DLL
2010-04-29 20:05 . 2006-08-16 17:20 41984 ------w- c:\windows\system32\drivers\DGIVECP.SYS
2010-04-29 20:05 . 2010-04-29 20:05 -------- d-----w- c:\temp\SCX-4725
2010-04-29 17:50 . 2010-04-29 17:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-04-28 12:29 . 2010-02-26 15:26 220024 ----a-w- c:\windows\sigcheck.exe
2010-04-28 12:24 . 2010-04-28 14:42 -------- d-----w- c:\windows\maxdriver
2010-04-27 15:21 . 2010-04-27 15:21 -------- d-----w- c:\documents and settings\Per\Local Settings\Application Data\ESET
2010-04-26 16:41 . 2010-04-26 16:41 -------- d-----w- c:\temp\SamsungUniversalPrintDriver
2010-04-26 16:39 . 2010-04-29 20:05 -------- d-----w- c:\program files\SAMSUNG
2010-04-26 16:39 . 2010-04-26 16:39 -------- d-----w- c:\temp\ML-1710
2010-04-26 16:29 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-04-26 16:29 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-04-25 16:00 . 2010-04-25 16:00 -------- d-----w- c:\program files\Defraggler
2010-04-25 11:25 . 2008-01-09 10:28 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-04-24 09:55 . 2010-04-24 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-04-24 09:55 . 2010-04-24 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-24 09:21 . 2010-04-24 09:21 -------- d-----w- c:\documents and settings\Per\Application Data\Foxit
2010-04-24 09:21 . 2010-04-24 09:21 -------- d-----w- c:\program files\Foxit Software
2010-04-24 09:12 . 2010-04-24 09:12 -------- d-----w- c:\documents and settings\Per\Application Data\JAM Software
2010-04-24 09:09 . 2010-04-24 09:09 -------- d-----w- c:\program files\JAM Software
2010-04-24 09:08 . 2010-04-24 09:09 -------- d-----w- c:\program files\ImgBurn
2010-04-24 09:08 . 2009-05-13 16:51 19968 ----a-w- c:\windows\system32\drivers\imdisk.sys
2010-04-24 09:08 . 2009-02-09 13:16 9216 ----a-w- c:\windows\system32\drivers\awealloc.sys
2010-04-24 09:08 . 2009-05-13 16:51 10240 ----a-w- c:\windows\system32\imdsksvc.exe
2010-04-24 09:08 . 2009-05-13 16:51 35840 ----a-w- c:\windows\system32\imdisk.exe
2010-04-24 06:43 . 2010-04-24 06:43 -------- d-----w- c:\documents and settings\Per\DoctorWeb
2010-04-24 00:37 . 2004-10-15 16:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-04-24 00:37 . 2004-10-15 16:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-04-24 00:37 . 2004-10-15 16:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2010-04-24 00:37 . 2004-10-15 16:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\program files\Sygate
2010-04-23 23:51 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-23 23:51 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-23 23:51 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-23 23:49 . 2010-04-23 23:50 -------- dc-h--w- c:\windows\ie8
2010-04-23 23:47 . 2010-04-23 23:47 -------- d-----w- c:\program files\Trend Micro
2010-04-23 23:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-23 23:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-23 23:38 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-23 23:37 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-23 23:37 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-23 23:37 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-23 23:35 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-23 23:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-04-23 23:08 . 2010-04-28 13:10 -------- d-----w- c:\documents and settings\Per\Local Settings\Application Data\Spotify
2010-04-23 23:08 . 2010-04-28 12:55 -------- d-----w- c:\documents and settings\Per\Application Data\Spotify
2010-04-23 22:35 . 2010-04-23 22:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 22:35 . 2010-04-23 22:35 503808 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\msvcp71.dll
2010-04-23 22:35 . 2010-04-23 22:35 499712 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\jmc.dll
2010-04-23 22:35 . 2010-04-23 22:35 348160 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\msvcr71.dll
2010-04-23 22:35 . 2010-04-23 22:35 61440 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45960d9c-n\decora-sse.dll
2010-04-23 22:35 . 2010-04-23 22:35 12800 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45960d9c-n\decora-d3d.dll
2010-04-23 22:35 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-23 20:53 . 2009-02-07 05:43 24576 ----a-w- c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2010-04-23 20:53 . 2009-05-17 17:56 11776 ----a-w- c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}\platform\WINNT_x86-msvc\components\mgMouseService.dll
2010-04-23 19:33 . 2010-04-23 19:33 -------- d-----w- c:\program files\MAPILab Ltd
2010-04-23 19:32 . 2010-04-23 19:32 -------- d-----w- c:\windows\Downloaded Installations
2010-04-23 19:15 . 2010-04-23 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-03 20:55 . 2010-04-03 20:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 20:55 . 2010-04-03 20:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 20:55 . 2010-04-03 20:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 20:55 . 2010-04-03 20:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 20:55 . 2010-04-03 20:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 20:55 . 2010-04-03 20:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 17:23 . 2010-04-03 17:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 17:23 . 2010-04-03 17:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 17:23 . 2010-04-03 17:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 17:23 . 2010-04-03 17:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:23 . 2010-04-03 17:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 17:22 . 2010-04-03 17:22 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 11:50 . 2009-04-19 08:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-25 11:24 . 2009-04-19 08:58 -------- d-----w- c:\program files\Sony Ericsson
2010-04-25 11:24 . 2009-03-13 21:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-25 11:23 . 2009-04-19 08:59 -------- d-----w- c:\program files\Avanquest update
2010-04-24 15:54 . 2009-04-22 19:18 -------- d-----w- c:\program files\Axis Communications
2010-04-24 09:59 . 2009-03-15 09:12 -------- d-----w- c:\program files\ESET
2010-04-24 08:43 . 2009-04-04 20:49 -------- d-----w- c:\documents and settings\Per\Application Data\Audacity
2010-04-23 23:31 . 2009-03-13 21:28 64752 ----a-w- c:\documents and settings\Per\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 22:54 . 2009-04-10 21:54 -------- d-----w- c:\program files\SpeedFan
2010-04-23 22:41 . 2009-04-04 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 22:35 . 2009-04-08 16:54 -------- d-----w- c:\program files\Java
2010-04-23 20:28 . 2009-05-23 12:59 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 20:55 . 2009-03-14 05:16 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-03 20:55 . 2009-03-13 21:20 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 20:55 . 2007-10-04 08:14 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 20:55 . 2007-10-04 08:14 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 20:55 . 2007-10-04 08:14 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 20:55 . 2007-10-04 08:14 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 20:55 . 2007-10-04 08:14 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 20:55 . 2007-10-04 08:14 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-29 22:46 . 2009-04-04 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2009-04-04 06:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 07:49 . 2010-04-26 16:42 282624 ----a-w- c:\windows\system32\DscPnt.dll
2010-03-16 15:01 . 2010-04-26 16:42 141680 ----a-w- c:\windows\system32\SUPDSvcA.dll
2010-03-16 15:01 . 2010-04-26 16:42 132464 ----a-w- c:\windows\system32\SUPDSvc.exe
2010-03-16 15:00 . 2010-04-26 16:42 260464 ----a-w- c:\windows\SUPDRun.exe
2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-10 06:15 . 2007-07-27 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:34 . 2010-04-26 16:42 157552 ----a-w- c:\windows\system32\spd__ci.exe
2010-02-25 06:24 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-07-27 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2007-07-27 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2007-07-27 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2007-07-27 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-04-28_14.08.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-01 00:00 . 2010-05-01 00:00 16384 c:\windows\Temp\Perflib_Perfdata_560.dat
+ 2007-07-27 12:00 . 2010-04-30 23:58 72108 c:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2010-04-28 14:00 72108 c:\windows\system32\perfc009.dat
+ 2010-04-28 14:42 . 2002-09-18 04:38 82944 c:\windows\maxdriver\sed.exe
+ 2010-04-29 20:07 . 2008-04-13 23:12 543232 c:\windows\system32\spool\drivers\w32x86\PSCRIPT5.DLL
+ 2010-04-29 20:07 . 2008-04-13 23:12 728576 c:\windows\system32\spool\drivers\w32x86\PS5UI.DLL
+ 2010-04-29 20:07 . 2008-04-13 23:12 543232 c:\windows\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2010-04-29 20:07 . 2008-04-13 23:12 728576 c:\windows\system32\spool\drivers\w32x86\3\PS5UI.DLL
+ 2007-07-27 12:00 . 2010-04-30 23:58 444358 c:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2010-04-28 14:00 444358 c:\windows\system32\perfh009.dat
+ 2010-04-28 14:42 . 2009-12-11 19:48 1041920 c:\windows\maxdriver\pevFind.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"Hard Disk Sentinel"="g:\program files\Hard Disk Sentinel\HDSentinel.exe" [2009-02-24 3198464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-10-12 614400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BankID Security Application.lnk - c:\program files\Personal\bin\Personal.exe [2009-5-3 939536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2007-11-10 29728]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-04-25 27632]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2010-04-25 90112]
S3 AWEAlloc;AWE Memory Allocation Driver;c:\windows\system32\drivers\awealloc.sys [2010-04-24 9216]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-04-19 13224]
S3 ImDisk;ImDisk Virtual Disk Driver;c:\windows\system32\drivers\imdisk.sys [2010-04-24 19968]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-04-18 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-04-18 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-04-18 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-04-18 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-04-18 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-04-18 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-04-18 115752]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-04-26 132464]
S4 ImDskSvc;ImDisk Virtual Disk Driver Helper;c:\windows\system32\imdsksvc.exe [2010-04-24 10240]
.
Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.232.99.43:60108/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.leta.se/
FF - component: c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 02:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9160B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb811cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> 0x8a9160b8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1844237615-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:34,16,57,02,3b,e5,67,7e,51,a1,ab,35,30,1a,60,b1,b1,bf,5b,05,40,89,12,
96,a7,85,da,07,ef,fa,f4,8e,87,76,cb,87,cd,98,ac,b8,36,d6,e1,e0,16,94,85,ad,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"D140111900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Completion time: 2010-05-01 02:03:47
ComboFix-quarantined-files.txt 2010-05-01 00:03
ComboFix2.txt 2010-04-28 14:09
ComboFix3.txt 2010-04-27 15:27

Pre-Run: 28 985 556 992 bytes free
Post-Run: 29 064 499 200 bytes free

- - End Of File - - E5DA63BDCF3BF72E66C09CF053EA02DE

MBAM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4056

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-05-01 02:15:01
mbam-log-2010-05-01 (02-15-01).txt

Scan type: Quick scan
Objects scanned: 112528
Time elapsed: 1 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[pimse]

Finally I managed to run GMER in normal mode, but with "devices" unchecked!

Here's the log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-02 23:52:58
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Per\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB82FAB30]
SSDT 8955F580 ZwAssignProcessToJobObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB82FA6F0]
SSDT 89560100 ZwDebugActiveProcess
SSDT 8955FB30 ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB82FA470]
SSDT 8955ECC0 ZwOpenProcess
SSDT 8955EFC0 ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB82FAC50]
SSDT 8955F860 ZwSetContextThread
SSDT 8955F6E0 ZwSetInformationThread
SSDT 8955C700 ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB82FA990]
SSDT 8955F420 ZwSuspendProcess
SSDT 8955F2C0 ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB82FA8D0]
SSDT 8955F150 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB82FAD60]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6A4E380, 0x566445, 0xE8000020]
.text tcpip.sys!IPTransmit + 10FC B3D51D3A 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B3D53690 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B3D69454 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B82ED3FD 4 Bytes CALL B7DF3FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B82ED402 2 Bytes [90, 90] {NOP ; NOP }

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1780] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF48E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF4B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7DF4C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7DF4BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- EOF - GMER 1.0.15 ----

[deltalima]

Hi pimse,

Finally I managed to run GMER in normal mode

Good, and that log is clean.

I have been in discussion with the experts of this forum and the consensus is that results of the tests we have done so far indicate that the symptoms are that of CD emulation software and not of a rootkit mbr infection.

I agree with these findings and plan to undo the changes that we have made and return the system to the state is was when we started.

If however you wish to verify the above then the next stage will be to completely uninstall CDBurnerXP and ImDisk along with any other software that may provide CD emulation functionality.

This may still not remove the symptoms as the uninstall may not remove all the changes that those programs have made to the system.

Please let me know how you would like to proceed.

[pimse]

Hi deltalima,

I think it would be nice if it is possible to verify that it is CD emulation apps that causes the detection. (I hope that was English enough to be understood).

CDBurnerXP and ImDisk, have you seen any other?

Thanks

pimse

[deltalima]

Hi pimse,

CDBurnerXP and ImDisk, have you seen any other?

Please uninstall those while I check your uninstall list for any more. One note, Alcohol 120% did not show in that list so it may be worth checking the start menu to see if anything shows there that is not in the uninstall list.

[pimse]

Hi deltalima,

Now I have gone through the startmenu and the program files directory and uninstalled CDburnerXP, Imdisk, Imgburner, GameJackal. I have run fixmbr in recovery console and after reboot I run Look.bat and the log looks like:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8FCE58]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a8fce58
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !


The computer is running good now, it is fast booting and opening Firefox rather quick. It feels good, except for the knowledge about the content of the log above. But I will keep it in mind and also hoping that the force may be with me.

pimse

[deltalima]

Hi pimse,

The computer is running good now, it is fast booting and opening Firefox rather quick

That's good to hear.

It feels good, except for the knowledge about the content of the log above.

I understand your concerns, but please be assured that rootkit detection is difficult and prone to false positives, this thread has been reviewed by several experts from the antimalware community who all agree that the system is clean.

Remove GMER

Delete the GMER icon from your desktop.

Delete the TDSSKiller icon, folder and zip file from your desktop.

Delete the look.bat from your desktop.

Uninstall ComboFix

• Click START then RUN
  
• Now type Combofix /Uninstall in the runbox and click OK

Clean up with OTL

• Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CleanUp! button
• Say Yes to the prompt and then allow the program to reboot your computer.

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.[/list]Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

[pimse]

Thanks a lot for your help deltalima!


pimse

[Gary R]

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.