Free Malware Removal Forum

by **Ferretman** » November 8th, 2008, 4:56 pm

Howdy All:

I noticed over the past couple of weeks that I'd been unable to get to Microsoft Update at all, and whenever I clicked on various Google searches directly I got directed to some oddball search site rather than the site I wanted. (I had to cut and paste the http link below the clickable link to get to the page I wanted.) I also found (when I began to suspect malware) that I was unable to go to any of the malware forums at all--I was being stopped. A quick check via a different machine confirmed that the site was fine, but something on my computer was preventing my accessing the site.

I downloaded ComboFix and ran it this afternoon. It generated the attached logs.

Any advice on what I should do?

Steve

by **Katana** » November 11th, 2008, 11:41 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

by **Ferretman** » November 11th, 2008, 9:22 pm

katana wrote:

Download and Run RSIT
Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Howdy Katana!

Thanks for the reply, and I'll download RSIT and get to it directly.

Ferretman

by **Ferretman** » November 11th, 2008, 10:41 pm

Okay, I ran RSIT and here are the logs.

Ferretman

by **Katana** » November 12th, 2008, 5:00 am

Please can you post the logs into your reply rather than attaching them,
this is a teaching forum and it makes it easier for the students to follow what is happening

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus Vuze
Azureus

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

by **Ferretman** » November 12th, 2008, 11:10 pm

katana wrote:Please can you post the logs into your reply rather than attaching them,
this is a teaching forum and it makes it easier for the students to follow what is happening

No problemo.

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus Vuze
Azureus

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Well, no big deal as I don't use them much anyway.

Done.

Installed Programs

Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Here ya go:

Steve

by **Katana** » November 13th, 2008, 7:48 am

Information

AntiVirus
You appear to have AVG8 and Avast
First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

Registry Cleaners

Re. Uniblue RegistryBooster 2009

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

----------------------------------------------------------- -----------------------------------------------------------

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below

http://www.bleepingcomputer.com/combofi ... e-combofix

ComboFix.exe 1

ComboFix.exe 2

ComboFix.exe 3

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 8.1.3 << See below for updating Adobe
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_11
Java(TM) 6 Update 3
Java(TM) 6 Update 4

Now close the Control Panel.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
ComboFix Log
How are things running now ?

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

by **Ferretman** » November 13th, 2008, 11:38 pm

katana wrote:Information

AntiVirus
You appear to have AVG8 and Avast
First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

Registry Cleaners

Re. Uniblue RegistryBooster 2009

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

----------------------------------------------------------- -----------------------------------------------------------

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
Please visit this webpage for instructions on using ComboFix:
http://www.bleepingcomputer.com/combofi ... e-combofix

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
Adobe Reader 8.1.3 << See below for updating Adobe
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_11
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Now close the Control Panel.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
MalwareBytes Log
ComboFix Log
How are things running now ?

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.
Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Awesome katana--thank you for the suggestions! I'll probably implement tomorrow night and post something either Friday or Saturday.

You guys are great. Really appreciate the assist.

Steve

by **Ferretman** » November 18th, 2008, 1:02 am

Just a quick note that I'm still working this--took me some work to get Java uninstalled. Should be done soon.....

Steve

by **Ferretman** » November 21st, 2008, 12:19 am

katana wrote:Information

AntiVirus
You appear to have AVG8 and Avast
First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

I usually only run AVG all the time, and Avast on a time-to-time basis. No issues here.

Registry Cleaners

Re. Uniblue RegistryBooster 2009

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

Yeah, this was downloaded during the early phase of my trying to figure out what the heck was going on. I didn't need it anymore; it's gone.

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Mbam scanned for minutes seconds and found 4 infections. It produced the following log:

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 5.1.2600 Service Pack 3

11/20/2008 9:02:20 PM
mbam-log-2008-11-20 (21-02-20).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 182537
Time elapsed: 46 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdsslog.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssserf.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssserf1.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS50ab.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steven Woodcock\Local Settings\Temp\TDSSc881.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Step 2

Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
Please visit this webpage for instructions on using ComboFix:
http://www.bleepingcomputer.com/combofi ... e-combofix

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

And here is that log:

ComboFix 08-11-19.08 - Steven Woodcock 2008-11-20 21:05:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.359 [GMT -7:00]
Running from: c:\documents and settings\Steven Woodcock\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV

((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-20 20:14 . 2008-11-20 20:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 09:26 . 2008-11-15 09:26 0 --a------ c:\windows\system32\REN10D.tmp
2008-11-15 09:26 . 2008-11-15 09:26 0 --a------ c:\windows\system32\REN10C.tmp
2008-11-15 09:26 . 2008-11-15 09:26 0 --a------ c:\windows\system32\REN10B.tmp
2008-11-14 08:46 . 2008-11-14 08:46 <DIR> d-------- c:\program files\Foxit Software
2008-11-14 07:01 . 2008-11-20 06:37 <DIR> d-------- c:\program files\QuickTime
2008-11-14 07:01 . 2008-11-14 07:01 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-14 06:57 . 2008-11-14 06:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-11 07:27 . 2008-11-11 07:28 <DIR> d-------- C:\rsit
2008-11-11 07:27 . 2008-11-11 07:37 <DIR> d-------- c:\program files\trend micro
2008-11-08 11:02 . 2008-11-08 11:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-08 10:38 . 2008-11-09 08:19 <DIR> d-------- c:\program files\Trojan Remover
2008-11-08 10:38 . 2008-11-08 10:38 <DIR> d-------- c:\documents and settings\Steven Woodcock\Application Data\Simply Super Software
2008-11-08 10:38 . 2008-11-08 10:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-08 10:38 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-11-08 10:38 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2008-11-08 10:38 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2008-11-08 10:38 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2008-11-08 02:11 . 2008-11-08 02:11 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-08 02:11 . 2008-11-08 02:11 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-08 02:11 . 2008-11-08 02:11 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-08 02:11 . 2008-11-08 02:11 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-08 01:30 . 2005-11-09 00:26 38,400 --a------ c:\windows\system32\moveex.exe
2008-11-07 23:24 . 2008-11-07 23:24 <DIR> d-------- c:\program files\AVG
2008-11-07 23:24 . 2008-11-08 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-07 22:07 . 2008-11-07 22:10 <DIR> d-------- c:\windows\$regcmp$
2008-11-06 21:41 . 2008-11-06 21:44 <DIR> d-------- c:\windows\NV39563960.TMP
2008-10-30 18:13 . 2008-10-30 18:16 <DIR> d-------- c:\windows\NV38723876.TMP
2008-10-29 18:40 . 2008-10-29 18:42 <DIR> d-------- c:\windows\NV40724076.TMP
2008-10-29 18:08 . 2008-10-29 18:11 <DIR> d-------- c:\windows\NV39601916.TMP
2008-10-29 17:28 . 2008-10-29 17:33 <DIR> d-------- c:\windows\NV22123660.TMP
2008-10-28 17:25 . 2008-10-28 17:27 <DIR> d-------- c:\windows\NV30443564.TMP
2008-10-27 20:32 . 2008-11-06 21:44 <DIR> d-------- c:\windows\nview
2008-10-27 20:32 . 2008-10-27 20:34 <DIR> d-------- c:\windows\NV35043508.TMP
2008-10-27 20:32 . 2008-10-07 12:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-10-27 20:32 . 2008-11-20 21:10 195,368 --a------ c:\windows\system32\nvapps.xml
2008-10-27 20:32 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-10-27 20:31 . 2008-10-02 09:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-10-27 20:23 . 2008-10-28 19:55 <DIR> d-------- c:\program files\MultiRes
2008-10-27 20:22 . 2008-10-27 20:22 <DIR> d-------- c:\program files\Nvidia Omega Drivers
2008-10-27 19:28 . 2008-10-27 19:31 <DIR> d-------- c:\windows\NV38963900.TMP
2008-10-27 19:11 . 2008-10-27 19:21 <DIR> d-------- c:\windows\NV25522568.TMP
2008-10-27 18:05 . 2008-10-27 18:09 <DIR> d-------- c:\windows\NV30081300.TMP
2008-10-27 05:46 . 2008-10-27 15:39 <DIR> d-------- c:\windows\NV39283932.TMP
2008-10-27 04:44 . 2008-10-27 04:46 <DIR> d-------- c:\windows\NV40802372.TMP
2008-10-26 17:51 . 2008-10-26 18:04 <DIR> d-------- c:\windows\NV3484684.TMP
2008-10-26 17:51 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-10-26 16:27 . 2008-10-26 16:27 10,962 --a------ C:\gbpvr.zip
2008-10-25 22:23 . 2008-10-25 22:25 <DIR> d-------- c:\windows\NV23803976.TMP
2008-10-25 22:22 . 2008-10-25 22:22 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 13:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-15 16:26 --------- d-----w c:\program files\Java
2008-11-14 19:02 --------- d-----w c:\documents and settings\Steven Woodcock\Application Data\PreCast
2008-11-14 15:43 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 14:01 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-14 13:57 --------- d-----w c:\program files\Apple Software Update
2008-11-12 14:58 --------- d-----w c:\documents and settings\Steven Woodcock\Application Data\Azureus
2008-11-11 14:33 --------- d-----w c:\program files\Google
2008-11-09 15:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-08 14:42 --------- d-----w c:\program files\Windows Defender
2008-11-08 09:39 --------- d-----w c:\program files\SpeedFan
2008-11-08 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-08 05:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-28 03:22 737,280 ----a-w c:\windows\iun6002.exe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-11 14:02 --------- dc----w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-11 13:47 --------- d-----w c:\documents and settings\Steven Woodcock\Application Data\Malwarebytes
2008-10-11 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-11 03:03 --------- d-----w c:\program files\Zamaan's Software
2008-10-11 02:47 --------- d-----w c:\program files\MalwareSweeper.com
2008-10-11 00:36 --------- d-----w c:\documents and settings\Steven Woodcock\Application Data\OpenOffice.org2
2008-10-09 22:26 --------- d-----w c:\program files\Picasa2
2008-10-07 20:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-10-03 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2008-10-03 16:21 --------- d-----w c:\program files\PopCap Games
2008-10-03 14:38 --------- d-----w c:\program files\MSECACHE
2008-10-01 01:21 --------- d-----w c:\documents and settings\Steven Woodcock\Application Data\Juniper Networks
2008-09-25 03:26 --------- d--h--w c:\documents and settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-02-04 01:25 215 ---ha-w c:\documents and settings\Steven Woodcock\Application Data\hpothb07.dat
2001-11-23 04:08 712,704 -c--a-w c:\windows\inf\OTHER\AUDIO3D.DLL
2006-09-29 05:20 8 --sha-r c:\windows\system32\FE3FFDF5A4.sys
2006-09-29 05:20 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Malware Sweeper"="c:\program files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe" [2007-11-11 696320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-08 1234712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\Steven Woodcock\Start Menu\Programs\Startup\
GB-PVR Tray.lnk - c:\program files\devnz\gbpvr\GBPVRTray.exe [2008-05-27 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PreCast Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PreCast Monitor.lnk
backup=c:\windows\pss\PreCast Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven Woodcock^Start Menu^Programs^Startup^1st QuickRes.lnk]
path=c:\documents and settings\Steven Woodcock\Start Menu\Programs\Startup\1st QuickRes.lnk
backup=c:\windows\pss\1st QuickRes.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven Woodcock^Start Menu^Programs^Startup^GBPVRTray.exe.lnk]
path=c:\documents and settings\Steven Woodcock\Start Menu\Programs\Startup\GBPVRTray.exe.lnk
backup=c:\windows\pss\GBPVRTray.exe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven Woodcock^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Steven Woodcock\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BHR]
--a------ 2006-10-24 21:14 9375744 c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
--a------ 2007-04-25 12:36 280064 c:\program files\Portrait Displays\HP My Display\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flockbox]
--a------ 2007-12-14 16:59 1071472 d:\apps\My Lockbox\flockbox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malware Sweeper]
--a------ 2007-11-11 15:20 696320 c:\program files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
--a------ 2007-02-09 12:17 694008 c:\program files\Portrait Displays\Pivot Software\wpCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a--c--- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2003-03-20 13:21 1855488 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"UPHClean"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TrkWks"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=2 (0x2)
"SwPrv"=3 (0x3)
"SQLWriter"=2 (0x2)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"upnphost"=2 (0x2)
"SCardSvr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Apps\\Trillian\\trillian.exe"=

R0 hpt3xx;hpt3xx;c:\windows\system32\DRIVERS\hpt3xx.sys [2004-02-09 43907]
R0 hptpro;hptpro;c:\windows\system32\DRIVERS\hptpro.sys [2004-02-09 9809]
R0 MPRIFL;MPRIFL;c:\windows\system32\DRIVERS\MPRIFL.SYS [2008-01-05 17264]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2004-05-12 102528]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 78416]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2004-02-14 11889]
R1 NEOFLTR_550_12857;Juniper Networks TDI Filter Driver (NEOFLTR_550_12857);\??\c:\windows\system32\Drivers\NEOFLTR_550_12857.SYS [2008-03-10 64144]
R1 Pivot;Pivot;c:\windows\system32\drivers\pivot.sys [2008-01-08 17465]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-05 20560]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2007-02-10 29178224]
S2 CTpvr Recorder;CTpvr Recorder;c:\program files\CTpvr\CTpvrRecorder.exe []
S2 UMAXPCLS;Print Port Scanner Driver;c:\windows\system32\DRIVERS\umaxpcls.sys [2004-08-04 22912]
S3 iteio;iteio;\??\c:\windows\System32\drivers\iteio.sys [2004-02-09 3680]
S3 itsernum;itsernum Filter ÅX°Êµ{¦¡;c:\windows\system32\DRIVERS\itsernum.sys [2004-02-09 20133]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;\??\c:\windows\system32\drivers\pivotmou.sys [2008-01-08 11323]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8429d986-106e-11db-8e22-00502c08af8e}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EDDC0222-1E6B-11D3-A468-00605205B0B3}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\1stqres.inf,AQR.Install.PerUser.NT
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Steven Woodcock\Application Data\Mozilla\Firefox\Profiles\default.f8y\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://slashdot.org/
FF -: plugin - c:\documents and settings\Steven Woodcock\Application Data\Mozilla\Firefox\Profiles\default.f8y\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF -: plugin - c:\documents and settings\Steven Woodcock\Application Data\Mozilla\Firefox\Profiles\default.f8y\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npcpbrkuk7.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npcsau7.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 21:11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\devnz\gbpvr\GBPVRRecordingService.exe
c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\locator.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-11-20 21:14:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 04:14:36

Pre-Run: 168,984,252,416 bytes free
Post-Run: 170,722,930,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
C:\="Microsoft Windows"

282 --- E O F --- 2008-11-20 13:04:39

Step 3

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
Adobe Reader 8.1.3 << See below for updating Adobe
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_11
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Now close the Control Panel.

Done! Removing the Java took some digging; it looked as if they weren't properly installed; had to poke around the Sun site to find instructions on removal.

Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
MalwareBytes Log
ComboFix Log
How are things running now ?

Done and done.

So far no hijacks seem to be happening and I can get to WindowsUpdate just fine.

Steve

by **Katana** » November 21st, 2008, 8:28 am

Looking good

Let's make sure we got everything

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

by **Ferretman** » November 22nd, 2008, 11:50 am

katana wrote:Looking good
Let's make sure we got everything

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Kapersky took a long time to do its thing (it seemed to really hang up on .rar files during the scan) but eventually (overnight) produced the following report:

*KASPERSKY ONLINE SCANNER 7 REPORT*
Saturday, November 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3
(build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 22, 2008 02:28:25
Records in database: 1401208

*Scan settings*
Scan using the following database extended
Scan archives yes
Scan mail databases yes
*Scan area* My Computer
A:\
C:\
D:\
E:\
W:\
X:\
Y:\
Z:\
*Scan statistics*
Files scanned 128786
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 06:32:55

*File name* *Threat name* *Threats count*
C:\Documents and Settings\Steven
Woodcock\.housecall6.6\Quarantine\kf141.zip.bac_a01728 Infected:
not-a-virus:PSWTool.Win32.RAS.a 2
* The selected area was scanned.*

Looks to me like it found something, though it's not terribly clear what.

Your thoughts?

Steve

by **Katana** » November 22nd, 2008, 4:25 pm

Ferretman wrote:\.housecall6.6\Quarantine\kf141.zip.bac_a01728
Looks to me like it found something, though it's not terribly clear what.

The only thing it found has already been quarantined

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

not

Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialise and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

FireFox
- With many addons available that make customization easy this is a very popular choice
- NoScript and AdBlockPlus addons are essential
Opera
- Another popular alternative
Netscape
- Another popular alternative
- Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

by **Ferretman** » November 22nd, 2008, 9:03 pm

I'll give the Combfix run a try to be sure. I had missed that option in my readup on it.

The other stuff I already do or duplicates things I already do, so I appreciate the advice. I already pinpointed the source of the infection, as it turned out--should have spotted it sooner but that's what long hours will do for your PC's health!

I'll post back results in a day or so, but I agree--things are looking goodly.

Steve

by **Katana** » November 22nd, 2008, 9:50 pm

Ferretman wrote:I'll give the Combfix run a try to be sure.

I'm sorry, I don't understand you.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Free Malware Removal Forum

Possible Malware/Hijacking

Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Re: Possible Malware/Hijacking

Who is online