resident shield alert & block of downloads

**pat_w** · 2008-08-11, 17:24

I am getting a series of pop up windows titled "Resident Shield Alert" that states that a threat has been detected with the identification of a file. This happens periodically and identifies various files.

Also, I was getting unrequested music being played for about 10 seconds. THis also happened periodically until I reviewed the zonealarm program list and blocked permission to everything I could not identify. I got a zonealarm window indicating that "abceddes" of dxtxfst.sys (in system32 directory) was seeking access. I think this is the music seeking program.

I note that a program "afinding.exe" has also been detected by zonealarm as seeking access; I denied the request.

And I get a pop up window when I attempt to download a file, e.g. hijackthis, that states security on this computer does not allow such a download. I have never seen this on other computers. This window does not identify what program is generating it. So I have downloaded hijackthis on another computer and transferred the file to this computer and run it.

I started the computer in safe mode and ran spybot S&D 1.6. No threats were found.

The hjt log follows. I would appreciate help. This is a laptop PC used mainly by my wife.

------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:28 AM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AFinding.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\routing.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WServing.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG511v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175455764608
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175462531507
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe

--
End of file - 7440 bytes

-----------------

**pskelley** · 2008-08-14, 01:47

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks...Phil

**pat_w** · 2008-08-14, 17:49

Hello PSKelly,

Thanks for your help! (fyi my son-in-law is Patrick Kelly)

I turned off teatimer. I had to download combofix from another computer since malware seemed to be blocking or at least interferring with access to the internet/internet explorer. I had to transfer the combofix file via a flashdrive in safe mode. Anyway, I managed to get it installed on the subject (this) computer. I ran it and then hijackthis. After running combofix, this computer booted up much better, i.e. without any pop up "resident shield threat" windows - so far. And I am able to post this using the infected computer.

Below are the combofix and hjt logs.

ComboFix 08-08-13.05 - Owner 2008-08-14 10:10:13.1 - FAT32x86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6GWU3CMB\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6GWU3CMB\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Cookies.\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies.\owner@amazon[1].txt
C:\Documents and Settings\Owner\Cookies.\owner@hb.pcworld[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@live[3].txt
C:\Documents and Settings\Owner\Cookies.\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies.\owner@speakeasy[1].txt
C:\Documents and Settings\Owner\Cookies.\owner@www.cafemom[2].txt
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\IPHACTION.dll
C:\WINDOWS\system32\IPHOST.dll
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\IpSvchostF.dll
C:\WINDOWS\system32\KarnaDrv.dll
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\riphy.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\WServing.exe

Infected copy of C:\WINDOWS\system32\svchost.exe was found & disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\svchost.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_afinding
-------\Service_macidwe
-------\Service_perfs
-------\Service_routing
-------\Service_sobicyt
-------\Service_tdxdowkc
-------\Service_wserving
-------\Legacy_nobicyt
-------\Service_nobicyt

((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-13 15:23 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-11 09:58 . 2008-08-11 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 09:56 . 2008-08-11 09:56 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-11 09:55 . 2008-08-11 09:55 <DIR> d-------- C:\Program Files\CCleaner
2008-08-10 14:39 . 2008-08-10 14:39 58 ---hs---- C:\WINDOWS\system32\User.ini
2008-08-10 14:34 . 2008-08-10 14:34 45,568 -r-hs---- C:\WINDOWS\system32\wmoptimizer.dll
2008-08-10 14:33 . 2008-08-10 14:33 3,072 --a------ C:\WINDOWS\system32\downer.exe
2008-08-09 21:45 . 2008-08-09 21:45 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-09 14:41 . 2008-08-09 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 22:03 . 2008-07-19 15:56 102,400 --a------ C:\WINDOWS\system32\_reproxy.dll
2008-08-08 20:47 . 2008-08-08 20:47 <DIR> d--hs---- C:\FOUND.001
2008-08-08 20:25 . 2008-08-08 20:25 <DIR> d--h----- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 15:17 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 15:17 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-09 03:03 117,615 ----a-w C:\WINDOWS\system32\new2.exe
2008-07-12 15:45 90,112 ----a-w C:\WINDOWS\DUMP304a.tmp
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-08 16:47 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-08 16:47 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-08-10 12:58 18,000 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-12-04 16:38 53,248 ----a-w C:\WINDOWS\inf\WG511v2\snetcfg .exe
2006-12-04 16:38 265,984 ----a-w C:\WINDOWS\inf\WG511v2\WG511v2XP.sys
2006-12-04 16:38 265,856 ----a-w C:\WINDOWS\inf\WG511v2\WG511v2.sys
2006-12-04 16:38 249,856 ----a-w C:\WINDOWS\inf\WG511v2\InsDrvlh.exe
2006-12-04 16:38 212,992 ----a-w C:\WINDOWS\inf\WG511v2\CopyWHQLDriver.exe
2006-12-04 16:38 21,376 ----a-w C:\WINDOWS\inf\WG511v2\wlndis51.sys
.

Code:

<pre>
----a-w            53,248 2006-12-04 16:38:30  C:\WINDOWS\inf\WG511v2\snetcfg .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-12-19 00:12 151552]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-12-19 00:04 98304]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-08-09 18:21 118784]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2001-11-05 19:40 77824]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2001-09-10 15:35 184320]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2001-12-14 15:37 61440]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 19:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-08 11:47 1232152]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"LTSMMSG"="LTSMMSG.exe" [2001-10-17 05:06 45056 C:\WINDOWS\LTSMMSG.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - C:\Jts\WiseUpdt.exe [2008-04-01 17:09:01 194775]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-08 11:47]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 11:47]
R2 PMEMNT;PMEMNT;C:\WINDOWS\System32\pmemnt.sys [2000-09-01 11:11]
R2 WMOptimizer;Windows Media Optimizer;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
R3 {6D08DE67-D457-4d38-A7F5-D88CCB81EE00};AIM 3.0 NS2501;C:\WINDOWS\system32\drivers\A306.sys [2001-12-27 13:38]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-10-17 05:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
wmosvr REG_MULTI_SZ WMOptimizer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84e44b90-03f9-11dd-ad66-000fb5fd5724}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0pm5602s.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 10:20:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
C:\PROGRAM FILES\AVG\AVG8\AVGWDSVC.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\AVG\AVG8\AVGRSX.EXE
C:\PROGRAM FILES\APOINT2K\APNTEX.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-14 10:27:01 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-14 15:26:16

Pre-Run: 19,253,084,160 bytes free
Post-Run: 19,421,167,616 bytes free

184 --- E O F --- 2008-08-14 14:08:17

---------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:16 AM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG511v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175455764608
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175462531507
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6351 bytes

---------------------

**pskelley** · 2008-08-14, 18:26

Thanks for the feedback, keep a close eye on things as we proceed, this was a badly infected computer. I am not sure about this item being flagged by combofix:
C:\WINDOWS\inf\WG511v2\snetcfg .exe <<< would you scan that file in red and post the results.
http://virusscan.jotti.org/

The HJT log looks to be clean of malware, let's run another scan for a second opinion:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

This is the next bridge we must cross:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/comb...o-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Thanks

**pat_w** · 2008-08-14, 21:39

Hello and thanks for continuing guidance,

I tested the "snetdcfg.exe" file as requested and got a 'status - OK' and 'nothing found' by all testing programs.

Attached is the malwarebytes log. It reported finding nothing.

However, I have had several occurrences of the same malware pop up windows about security threats. So there must be something remaining.

I attempted to do the recovery console install, but I failed at the step of installing the software from Microsoft. The download goes ok, I click on RUN, and it appears to install. Then a command window opens asking for the drive where it expects to write 6 floppy disks. Do I have to do actually let it write the 6 disks? I never got the OPEN field since I did not enter my 'A' drive letter. Guess I thought I would not have to write to floppy disks.

Let me know on this. [expecting reply: duh - follow instructions and write the 6 floppy disks]

----------------

Malwarebytes' Anti-Malware 1.24
Database version: 1052
Windows 5.1.2600 Service Pack 2

2:00:06 PM 8/14/2008
mbam-log-8-14-2008 (14-00-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 74716
Time elapsed: 36 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------

**pskelley** · 2008-08-14, 22:27

Thanks for the feedback, I received additional information about that item. Hold off on the Recovery Console, you must be reading it wrong, I will provide detailed directions soon.

1) C:\WINDOWS\system32\wmoptimizer.dll <<< please scan this file for infections and post the results.

2) Open notepad and copy/paste the text in the codebox below into it:

Code:

RenV::
C:\WINDOWS\inf\WG511v2\snetcfg .exe

File::
C:\WINDOWS\system32\downer.exe
F:\JDSecure\Windows\JDSecure20.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84e44b90-03f9-11dd-ad66-000fb5fd5724}]

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with the combofix log from CFScript, a new HJT log and a report on how the computer is running now and the information about the file you scanned.

Thanks

Platform: Windows XP SP2 <<< You may have cut the information off in the combofix scan, I need to know if your version of Windows XP is HOME or PROFESSIONAL

**pat_w** · 2008-08-15, 03:57

Hello,

Computer still experiencing a few of the same malware pop up windows, but MUCH better, i.e. less frequent.

I looked in the folder system32 for "wmoptimizer.dll" but this file was not in that path. ?? I had view hidden files/system folders turned on, but still no such file was seen in the identified path.

Attached are the requested logs. I see that Kaspersky found several infected objects.

This computer is running OS: XP Home.

------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:15 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG511v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175455764608
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175462531507
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6420 bytes

-------------

ComboFix 08-08-13.05 - Owner 2008-08-14 18:19:11.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\downer.exe
F:\JDSecure\Windows\JDSecure20.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\downer.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-14 13:22 . 2008-08-14 13:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-14 13:22 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 13:21 . 2008-08-14 13:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 13:21 . 2008-08-14 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 13:21 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-13 15:23 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-11 09:58 . 2008-08-11 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 09:56 . 2008-08-11 09:56 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-11 09:55 . 2008-08-11 09:55 <DIR> d-------- C:\Program Files\CCleaner
2008-08-10 14:39 . 2008-08-10 14:39 58 ---hs---- C:\WINDOWS\system32\User.ini
2008-08-10 14:34 . 2008-08-10 14:34 45,568 -r-hs---- C:\WINDOWS\system32\wmoptimizer.dll
2008-08-09 21:45 . 2008-08-09 21:45 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-09 14:41 . 2008-08-09 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 22:03 . 2008-07-19 15:56 102,400 --a------ C:\WINDOWS\system32\_reproxy.dll
2008-08-08 20:47 . 2008-08-08 20:47 <DIR> d--hs---- C:\FOUND.001
2008-08-08 20:25 . 2008-08-08 20:25 <DIR> d--h----- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 15:51 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 15:51 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-14 14:56 8,393,255 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-14 14:13 2,729,984 ------w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-09 03:03 117,615 ----a-w C:\WINDOWS\system32\new2.exe
2008-07-12 15:45 90,112 ----a-w C:\WINDOWS\DUMP304a.tmp
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-08 16:47 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-08 16:47 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-08-10 12:58 18,000 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-12-04 16:38 53,248 ----a-w C:\WINDOWS\inf\WG511v2\snetcfg.exe
2006-12-04 16:38 265,984 ----a-w C:\WINDOWS\inf\WG511v2\WG511v2XP.sys
2006-12-04 16:38 265,856 ----a-w C:\WINDOWS\inf\WG511v2\WG511v2.sys
2006-12-04 16:38 249,856 ----a-w C:\WINDOWS\inf\WG511v2\InsDrvlh.exe
2006-12-04 16:38 212,992 ----a-w C:\WINDOWS\inf\WG511v2\CopyWHQLDriver.exe
2006-12-04 16:38 21,376 ----a-w C:\WINDOWS\inf\WG511v2\wlndis51.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-12-19 00:12 151552]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-12-19 00:04 98304]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-08-09 18:21 118784]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2001-11-05 19:40 77824]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2001-09-10 15:35 184320]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2001-12-14 15:37 61440]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 19:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-08 11:47 1232152]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"LTSMMSG"="LTSMMSG.exe" [2001-10-17 05:06 45056 C:\WINDOWS\LTSMMSG.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - C:\Jts\WiseUpdt.exe [2008-04-01 17:09:01 194775]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-08 11:47]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 11:47]
R2 PMEMNT;PMEMNT;C:\WINDOWS\System32\pmemnt.sys [2000-09-01 11:11]
R3 {6D08DE67-D457-4d38-A7F5-D88CCB81EE00};AIM 3.0 NS2501;C:\WINDOWS\system32\drivers\A306.sys [2001-12-27 13:38]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-10-17 05:06]
S2 WMOptimizer;Windows Media Optimizer;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
wmosvr REG_MULTI_SZ WMOptimizer

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 18:23:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-14 18:25:24
ComboFix-quarantined-files.txt 2008-08-14 23:25:16
ComboFix2.txt 2008-08-14 15:27:08

Pre-Run: 19,991,347,200 bytes free
Post-Run: 19,983,810,560 bytes free

133 --- E O F --- 2008-08-14 14:08:17

-----------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 23:56:35
Records in database: 1094021
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 43771
Threat name: 7
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:33:48

File name / Threat name / Threats count
C:\WINDOWS\system32\new2.exe Infected: Trojan.Win32.Agent.ynl 1
C:\WINDOWS\system32\new2.exe Infected: Trojan-Proxy.Win32.Small.uy 1
C:\WINDOWS\system32\dxtxfst.sys Infected: Trojan-Clicker.Win32.VB.bob 1
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.yjy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\WServing.exe.vir Infected: Trojan-Downloader.Win32.Delf.ltw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Nobicyt.exe.vir Infected: Trojan-Downloader.Win32.Delf.ltr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\IPHOST.dll.vir Infected: Trojan.Win32.Agent.ynl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sobicyt.exe.vir Infected: Trojan-Downloader.Win32.Delf.ltr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\downer.exe.vir Infected: Trojan-Downloader.Win32.NanoDesu.bm 1
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP368\A0034806.EXE Infected: Trojan.Win32.Agent.yjy 1
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP368\A0034809.exe Infected: Trojan-Downloader.Win32.Delf.ltw 1
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP361\A0032860.exe Infected: Trojan.Win32.Agent.ynl 1
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP361\A0032860.exe Infected: Trojan-Proxy.Win32.Small.uy 1

The selected area was scanned.

---------------------

**pskelley** · 2008-08-15, 05:17

Thanks for returning your information and the feedback, you said:

Computer still experiencing a few of the same malware pop up windows

Could you describe these popups, where are they directing you. Do they occur offline or online online? Any information to give me a direction to look in. Removing the items KOS located may stop the popups.

C:\WINDOWS\system32\wmoptimizer.dll <<< there may be nothing wrong with the file but I wish to be sure. Use Search Companion:
Start > Search > Files and Folders > put wmoptimizer.dll in the box and click search. Allow time, there are a lot of files to look through.

Most of the items Kaspersky Online Scan (KOS) found are in combofix quarantine and infected System Restore files, which we will address as soon as Recovery Console is installed, but there are a few that may be are problem, navigate to them and delete them manually.

The files in RED, let me know of any problems, we can use CFScript if needed.

C:\WINDOWS\system32\new2.exe Infected: Trojan.Win32.Agent.ynl 1
C:\WINDOWS\system32\new2.exe Infected: Trojan-Proxy.Win32.Small.uy 1
C:\WINDOWS\system32\dxtxfst.sys Infected: Trojan-Clicker.Win32.VB.bob 1

Recovery Console: for XP Home download this file to your Desktop
Go here: http://support.microsoft.com/kb/310994
scroll down to here, that is the download link:

Windows XP Service Pack 2 (SP2)
For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:
Windows XP Home Edition SP2

http://www.microsoft.com/downloads/d...displaylang=en (http://www.microsoft.com/downloads/d...displaylang=en)

Save the download to your Desktop, then drag it to combofix as in this picture:

Since we do not need to scan with combofix, click NO

post the C:\*CF-RC.txt* so I can be sure it is installed.

Thanks

**pat_w** · 2008-08-15, 16:06

Hello PSKelly,

The malware pop up window only occurs when on the internet or internet explorer is running. Since we normally use IE as the browser, it is running while accessing the internet so it is hard to separate actual internet connection versus IE running. The content of this pop up window is a list of 1 to 6 computer files that it identifies as containing a trojan/malware. It also shows several buttons: fix, ignore, cancel, check box for 'professional user'. I always just click the red X in the upper right to close this window. Many times it will pop up again within a few seconds to one minute.

While on this computer during this session (and performing the requested actions), no pop ups have occurred.

Re: wmoptimizer.dll I ran the XP search engine looking in all of the C drive for this file, with checking for system and hidden files ON, and it found no results. Is it possible that some action taken since the log file listing it was made to cause it to be deleted/moved?

I successfully manually moved the 2 KOS files (3 were listed but one was listed twice due to two different malware infections) to the trash bin, and then emptied the trash.

Thanks for the information on how to do the Recovery Console install. I previously went to the same site and downloaded the same file. But when I ran it (without using Combofix), it asked to write to 6 floppy disks in an installation window. Your method seemed to have worked. I attach the install log file below. I assume (I have not yet rebooted since this installation) that it provides a window/pause during boot up allowing alternate choices for the boot up process.

Again, I really appreciate your expertise and assistance.

--------------------

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

-------------------

**pskelley** · 2008-08-15, 16:36

Thanks for the feedback, RC was installed correctly, here is a little information:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

While on this computer during this session (and performing the requested actions), no pop ups have occurred.

Keep an eye open for any additional information, from what you posted, I have no idea what it is. It may be the files you removed manually were responsible. Run your resident programs after an update, AVG 8 and Ad-aware, Spybot.
Spybot S&D see this:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html

Let's go ahead with the combofix removal like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean any infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

It would not hurt to run a fresh MBAM scan also. The tool is yours to keep if you wish. I personally turn it off and use it as a backup on demand scanner. some rouge infections block the download of MBAM so I like to keep it onboard.

Let me know how the computer is running after the scans, I will post this information now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/m...oes/Links.html

Thread: resident shield alert & block of downloads

Thread Tools

Display

resident shield alert & block of downloads

reply to instructions

reply 2

another reply

making progress

Posting Permissions