Free Malware Removal Forum

[WinBMY]

Here would be my friend's PC.
And I check it with Hijackthis, it is infected by Backdoor.IRCBot.rh on the following line:

O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)

Here shows another trojan infection:

O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)

Windows XP SP1 is out-of-date version, should be upgrade to XP2

Platform: Windows XP SP1 (WinNT 5.01.2600)

How these infection can be cure?
Here is the full Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 上午 11:29:56, on 2006/12/24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\DWN\ThisJackHi.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)

[askey127]

Hi WinBMY,
There is a Very Dangerous Infection on this machine. It allows outsiders COMPLETE access to every keystroke, account, and password used while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to :

• Disconnect from Internet
• Re-Format the entire drive
• Re-Install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to corrupt the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover by remote control as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
• The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
  IN THIS CASE we have a Remote Access Trojan, the worst kind.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

Other information that may be useful :

• How to do a reformat : http://spyware-free.us/tutorials/reformat
• How to report ID theft, fraud, drive-by installs, hijacking and malware : http://www.dslreports.com/faq/10451
• Decision to Reformat or Repair : http://www.dslreports.com/faq/10063
• Danger: Remote Access Trojans (very technical article by Microsoft) : http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx

Please let me know what you decide.

If you want to try and remove the infection, start here:
-----------------------------------------------------------
Uninstall one of the two firewalls. The log is showing both Kerio and Sygate.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log. Please do not edit the log in any way before you post it.

askey127

[WinBMY]

My friend want to try to remove the infection first. If it is not easy to remove, then reformat and reinstall.

Now I am using my computer to post this message:
Following is the SDFix Report:

SDFix: Version 1.51
****************

??? 2006/12/24 - 22:26:20.59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

SMSS
sysmgr64
WINLOGON

File Path:

"C:\WINDOWS\system\smss.exe"
"C:\WINDOWS\sysmgr64.exe"
"C:\WINDOWS\system\winlogon.exe"

SMSS Deleted...
sysmgr64 Deleted...
WINLOGON Deleted...

Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------


Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF

FINISHED!

Here is the Hijacthis log after SDFix

Logfile of HijackThis v1.99.1
Scan saved at 下午 10:37:10, on 2006/12/24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\DWN\ThisJackHi.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O20 - Winlogon Notify: WLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[askey127]

WinBMY
-----------------------------------------------------------
Disable AVG Anti-Spyware (formerly ewido)

• Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
• In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
• If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
• Reply 'no' and set it to 'inactive' for the duration of your cleanup.

-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Scan. When the Scan is complete, Check the following entry:
O20 - Winlogon Notify: WLogon - C:\WINDOWS\
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
-----------------------------------------------------------
Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try_blacklight.html
* Hit I accept. It will take you to the download page.
* Download blbeta.exe and save it to the C:\
* Once saved... double click blbeta.exe to install the program.
Go to Start-->Run, copy in the following text and press Enter:
C:\blbeta.exe /expert
(space between blbeta.exe and /expert)

Accept the agreement, leave [X]scan through Windows Explorer checked.
Click > scan, Then > next
You'll see a list of all items found.
Exit blacklight.
There will also be a log in C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply, along with a new HJT log.

askey

[WinBMY]

Here is the blbeta.exe scan log:

12/25/06 10:45:07 [Info]: BlackLight Engine 1.0.47 initialized
12/25/06 10:45:07 [Info]: OS: 5.1 build 2600 (Service Pack 1)
12/25/06 10:45:07 [Note]: 7019 4
12/25/06 10:45:07 [Note]: 7005 0
12/25/06 10:45:09 [Note]: 7006 0
12/25/06 10:45:09 [Note]: 7022 0
12/25/06 10:45:09 [Note]: 7011 1900
12/25/06 10:45:09 [Note]: 7026 0
12/25/06 10:45:09 [Note]: 7026 0
12/25/06 10:45:09 [Note]: FSRAW library version 1.7.1020
12/25/06 10:45:42 [Note]: 7007 0

And here is the HJT log after line 20 Fixed by Hijackthis and blbeta.exe
Logfile of HijackThis v1.99.1
Scan saved at 上午 10:53:19, on 2006/12/25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\DWN\ThisJackHi.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[askey127]

WinBMY,
Print out these instructions or save to a notepad file on your desktop, as you will not be able to get to the Internet to view them during part of this procedure.

-----------------------------------------------------------
Download and install CCleaner from here.
Set Options in CCleaner and run Cleaning Scan. Open the CCleaner program.
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).

• Select all Temp Files for Removal.
  Click on the Options block on the left. Select Advanced.
  Uncheck "Only delete files in Windows Temp folders older than 48 hours".
  
• Clear the Prefetch Folder. Click on the Custom button.
  Click Add Folder. When the dialog comes up, go find C:\Windows\Prefetch\ and click OK.
  A warning will come up saying that the folder will be emptied upon cleaning. Are you sure, etc. Click Yes.
  
• Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
  Check everything Except Autocomplete Form History and the Advanced part of the Menu. Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
  
• Reset Temp File Removal for Regular Use.
  Click on the Options block on the left. Select the Advanced button.
  Check "Only delete files in Windows Temp folders older than 48 hours".
  
• Reset Prefetch Folder.Click on the Custom button. In the pane titled Custom Files and Folders to Clean, highlight C:\Windows\prefetch\, and click Remove Selected. A message will come up to verify, Remove the entry?. Click Yes.

------------------------------------------------
Run AVG AntiSpyware Scan
launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
In the AVG Anti-Spyware Status Menu. Select the Update button and click Start update. Wait until you see the "Update succesfull" message. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with AVG Anti-Spyware as follows:

• Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  - Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  - Under "How to Scan?" check all (default).
  - Under "Possibly unwanted software" check all (default).
  - Under "What to Scan?" make sure "Scan every file" is selected (default).
  - Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  
• Click the "Scan" tab to return to scanning options.
  
• Click "Complete System Scan" to start.
  Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
  
• When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
  IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  
• Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20061031-090001.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  
• Exit AVG Anti-Spyware when done.

Open the report with Notepad and paste a copy into your next reply.
askey

[WinBMY]

Happy X'mas!
Here is the HJT log after CClearner and AVG Antispyware scan.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 下午 09:49:49 2006/12/25

+ Scan result:



Nothing found.



::Report end

I will not come to my Friend's home until next Friday. He know very few about PC. Therefore, before next Frieday I come to his home, I told him not to connect to Internet by using his infection PC.

[askey127]

WinBMY,
Good idea of yours to keep it off the internet until we are done.
I believe the infection has been cleared.
Now to remove parts of the infection that were saved in System Restore files, and add a few protective settings.
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous restore points which are likely to be infected.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
If you are not prompted to reboot, do it on your own.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The Disable/Re-enable System Restore sequence is not to be done regularly, but only once after the removal of malware.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1).
If you use a proxy server, or if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions.

BlueTack's HOSTS Manager is here:
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
If you download and install it first, you can use it to handle your HOSTS file download, edits, and most any other HOSTS issue.

Download and Read an excellent instruction about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406
Be sure to read the note about disabling the service "DNS Client" when using large HOSTS files, to avoid slowdowns.

If you have a firewall, you may have to give permission to Unlock the present default HOSTS file before you copy / install the new one.
You may also have to give additional permission during installation of the new one.

askey127

[WinBMY]

Thanks, and the log look clean right now.

I have done what ever you tole me to do in my friend's computer.

Thanks again, and Happy New Year!

[askey127]

WinBMY,
Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.

askey127