Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Virtumonde, Smitfraud-C

  1. 2008-12-10, 00:02 #11
    mkejoey24z
    mkejoey24z is offline
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    Here is a new HJT after everything was done:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:58:34 PM, on 12/9/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TVersity\Media Server\MediaServer.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} (Tkweb Control) - http://www.toolkitcma.com/tkweb/tkweb.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1181159403687
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/...2/axofupld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
    O24 - Desktop Component 0: (no name) - http://a612.ac-images.myspacecdn.com...8bd334a46b.jpg
    O24 - Desktop Component 1: (no name) - http://rds.yahoo.com/_ylt=A9gnMibTdY...foto/21431.jpg

    --
    End of file - 9207 bytes

    Here Is the combo fix logfile:ComboFix 08-12-07.04 - Joey 2008-12-09 15:13:33.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.173 [GMT -6:00]
    Running from: c:\documents and settings\Joey\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Joey\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\documents and settings\Joey\z.bat
    c:\windows\system32\cvvfksun.ini
    c:\windows\system32\dllhosts.exe
    c:\windows\system32\drivers\ksecddd.sys
    c:\windows\system32\eekahlid.ini
    c:\windows\system32\jagpvdax.ini
    c:\windows\system32\nmlmlper.ini
    c:\windows\system32\OVvGNXbc.ini2
    c:\windows\system32\tjbpalsp.dll
    c:\windows\system32\tpcdabym.ini
    c:\windows\system32\vbzip10.dll
    c:\windows\Tasks\hsclfcmx.job
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Joey\Application Data\inst.exe
    c:\documents and settings\Joey\Application Data\LimeWire
    c:\documents and settings\Joey\Application Data\LimeWire\412splashfree.png
    c:\documents and settings\Joey\Application Data\LimeWire\413splashfree.png
    c:\documents and settings\Joey\Application Data\LimeWire\414splashfree.png
    c:\documents and settings\Joey\Application Data\LimeWire\active.mojito
    c:\documents and settings\Joey\Application Data\LimeWire\certificate\limewire.keystore
    c:\documents and settings\Joey\Application Data\LimeWire\createtimes.cache
    c:\documents and settings\Joey\Application Data\LimeWire\data.ser
    c:\documents and settings\Joey\Application Data\LimeWire\downloads.dat
    c:\documents and settings\Joey\Application Data\LimeWire\fileurns.cache
    c:\documents and settings\Joey\Application Data\LimeWire\filters.props
    c:\documents and settings\Joey\Application Data\LimeWire\gnutella.net
    c:\documents and settings\Joey\Application Data\LimeWire\installation.props
    c:\documents and settings\Joey\Application Data\LimeWire\library.dat
    c:\documents and settings\Joey\Application Data\LimeWire\limewire.props
    c:\documents and settings\Joey\Application Data\LimeWire\mojito.props
    c:\documents and settings\Joey\Application Data\LimeWire\passive.mojito
    c:\documents and settings\Joey\Application Data\LimeWire\promotion\promodb.backup
    c:\documents and settings\Joey\Application Data\LimeWire\promotion\promodb.data
    c:\documents and settings\Joey\Application Data\LimeWire\promotion\promodb.lck
    c:\documents and settings\Joey\Application Data\LimeWire\promotion\promodb.log
    c:\documents and settings\Joey\Application Data\LimeWire\promotion\promodb.properties
    c:\documents and settings\Joey\Application Data\LimeWire\promotion\promodb.script
    c:\documents and settings\Joey\Application Data\LimeWire\pub1.key
    c:\documents and settings\Joey\Application Data\LimeWire\public.key
    c:\documents and settings\Joey\Application Data\LimeWire\questions.props
    c:\documents and settings\Joey\Application Data\LimeWire\responses.cache
    c:\documents and settings\Joey\Application Data\LimeWire\secureMessage.key
    c:\documents and settings\Joey\Application Data\LimeWire\simpp.xml
    c:\documents and settings\Joey\Application Data\LimeWire\spam.dat
    c:\documents and settings\Joey\Application Data\LimeWire\tables.props
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme.lwtp
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\01_star.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\02_star.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\03_star.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\04_star.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\05_star.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\chat.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\forward_up.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\kill.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\kill_on.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\logo.png
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\notsearching.png
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\pause_up.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\play_dn.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\play_up.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\question.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\searching.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\splash.png
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\splashpro.png
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\stop_up.gif
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\theme.txt
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\version.txt
    c:\documents and settings\Joey\Application Data\LimeWire\themes\windows_theme\warning.gif
    c:\documents and settings\Joey\Application Data\LimeWire\ttree.cache
    c:\documents and settings\Joey\Application Data\LimeWire\ttrees.cache
    c:\documents and settings\Joey\Application Data\LimeWire\ttroot.cache
    c:\documents and settings\Joey\Application Data\LimeWire\update.xml
    c:\documents and settings\Joey\Application Data\LimeWire\version.key
    c:\documents and settings\Joey\Application Data\LimeWire\version.xml
    c:\documents and settings\Joey\Application Data\LimeWire\versions.props
    c:\documents and settings\Joey\Application Data\LimeWire\xml\data\audio.sxml2
    c:\documents and settings\Joey\Application Data\LimeWire\xml\data\delete_me
    c:\documents and settings\Joey\Application Data\LimeWire\xml\data\video.sxml2
    c:\documents and settings\Joey\Application Data\LimeWire\xml\misc\application.gif
    c:\documents and settings\Joey\Application Data\LimeWire\xml\misc\audio.gif
    c:\documents and settings\Joey\Application Data\LimeWire\xml\misc\document.gif
    c:\documents and settings\Joey\Application Data\LimeWire\xml\misc\image.gif
    c:\documents and settings\Joey\Application Data\LimeWire\xml\misc\video.gif
    c:\documents and settings\Joey\Application Data\LimeWire\xml\schemas\application.xsd
    c:\documents and settings\Joey\Application Data\LimeWire\xml\schemas\audio.xsd
    c:\documents and settings\Joey\Application Data\LimeWire\xml\schemas\document.xsd
    c:\documents and settings\Joey\Application Data\LimeWire\xml\schemas\image.xsd
    c:\documents and settings\Joey\Application Data\LimeWire\xml\schemas\video.xsd
    c:\documents and settings\Joey\Localdir
    c:\documents and settings\Joey\Localdir\winlogo.exe
    c:\documents and settings\Joey\z.bat
    c:\windows\Sm9zZSBMdW5h
    c:\windows\Sm9zZSBMdW5h\mA6Wtm1gxqc1.vbs
    c:\windows\system32\_000005_.tmp.dll
    c:\windows\system32\aeptegtd.ini
    c:\windows\system32\cbXNGvVO.dll
    c:\windows\system32\cpgmmccy.ini
    c:\windows\system32\cvvfksun.ini
    c:\windows\system32\dllhosts.exe
    c:\windows\system32\eekahlid.ini
    c:\windows\system32\eqqsuoap.ini
    c:\windows\system32\hiniicga.ini
    c:\windows\system32\jagpvdax.ini
    c:\windows\system32\nmlmlper.ini
    c:\windows\system32\OVvGNXbc.ini
    c:\windows\system32\OVvGNXbc.ini2
    c:\windows\system32\qvcfjhuq.ini
    c:\windows\system32\tjbpalsp.dll
    c:\windows\system32\tpcdabym.ini
    c:\windows\system32\vbzip10.dll
    c:\windows\system32\ymnjxobn.ini
    c:\windows\Tasks\hsclfcmx.job

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_KSECDDD
    -------\Service_ksecddd


    ((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
    .

    2009-12-07 14:04 . 2009-12-07 14:04 <DIR> d-------- c:\program files\Microsoft Silverlight
    2009-12-07 13:32 . 2009-12-07 13:32 <DIR> d-------- c:\program files\Windows Defender
    2009-12-07 12:38 . 2009-12-09 12:02 4,958,588 --a------ c:\windows\{00000002-00000000-00000005-00001102-00000004-00531102}.BAK
    2009-12-05 21:01 . 2009-12-06 21:37 <DIR> d-------- c:\program files\a-squared Free
    2009-12-05 19:14 . 2009-12-09 02:59 <DIR> d--h----- C:\$AVG8.VAULT$
    2009-12-05 19:08 . 2009-12-05 19:08 <DIR> d-------- c:\program files\AVG
    2009-12-05 19:08 . 2009-12-05 19:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2009-12-05 19:08 . 2009-12-05 19:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2008-12-05 00:02 . 2009-12-09 12:05 106 --a------ c:\windows\system32\jpg.dat
    2008-12-04 19:58 . 2008-12-04 19:58 64,859 --a------ c:\windows\system32\liirhegrpkwv.exe
    2008-12-04 19:56 . 2008-12-04 19:57 <DIR> d-------- c:\windows\system32\din
    2008-12-04 19:56 . 2009-12-09 02:59 <DIR> d-------- c:\windows\system32\av
    2008-11-21 19:43 . 2008-11-21 19:43 <DIR> d-------- c:\program files\iTunes
    2008-11-21 19:43 . 2008-11-21 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-11-12 03:48 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
    2008-11-12 03:48 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-09 17:21 --------- d-----w c:\program files\DVD Stuff
    2009-12-06 01:08 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-12-05 23:09 --------- d-----w c:\documents and settings\Joey\Application Data\Ahead
    2009-12-05 21:26 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-12-05 20:57 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-12-05 20:55 --------- d-----w c:\program files\SlySoft
    2009-12-05 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
    2009-12-05 16:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2008-12-05 05:28 --------- d-----w c:\program files\Google
    2008-12-05 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
    2008-12-04 18:55 --------- d-----w c:\program files\ZipForm Desktop
    2008-12-03 01:52 86,528 ---h--w c:\windows\Optimiz.exe
    2008-12-01 04:34 --------- d-----w c:\documents and settings\Joey\Application Data\Vso
    2008-11-29 00:42 --------- d-----w c:\program files\Safari
    2008-11-22 01:43 --------- d-----w c:\program files\iPod
    2008-11-22 01:41 --------- d-----w c:\program files\QuickTime
    2008-11-22 01:40 --------- d-----w c:\program files\Common Files\Apple
    2008-11-18 02:42 --------- d-----w c:\program files\Hooked on Phonics Learning
    2008-11-14 00:01 --------- d-----w c:\documents and settings\Joey\Application Data\uTorrent
    2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-13 21:53 --------- d-----w c:\program files\Picasa2
    2008-01-27 16:56 47,360 ----a-w c:\documents and settings\Joey\Application Data\pcouffin.sys
    2007-07-01 14:26 21,848 ----a-w c:\documents and settings\Joey\Application Data\GDIPFONTCACHEV1.DAT
    2007-11-21 03:28 32 --sha-w c:\windows\{67D268EC-50B8-4632-BC9D-720FB01FECA1}.dat
    2007-11-21 03:28 32 --sha-w c:\windows\system32\{D2C8D8E0-3056-48B9-8AF4-1378908501DF}.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2009-12-09_12.09.06.24 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-03-13 16:57:10 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
    + 2005-10-21 02:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [2006-12-20 557056]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-05 1261336]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
    "CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]
    "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-07 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
    Kaspersky Anti-Hacker.lnk - c:\program files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe [2006-07-19 2195583]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

    R0 aliidex;aliidex;c:\windows\system32\drivers\aliidex.sys [2007-06-06 7040]
    R0 aliperf;aliperf;c:\windows\system32\drivers\aliperf.sys [2007-06-06 7168]
    R0 Klpf;Klpf;c:\windows\system32\drivers\Klpf.sys [2006-05-11 28979]
    R0 Klpid;Klpid;c:\windows\system32\drivers\Klpid.sys [2006-05-11 36534]
    R0 m5289;m5289;c:\windows\system32\DRIVERS\m5289.sys [2007-06-06 51840]
    R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\DRIVERS\agpkx.sys [2007-06-06 44928]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2009-12-05 97928]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-12-05 231704]
    R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
    R3 ULI5261;ULi Based Ethernet NT Driver;c:\windows\system32\DRIVERS\ULILAN.SYS [2007-06-06 29696]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2008-04-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 11:13]

    2008-12-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

    c:\windows\system32\TKUNINST.EXE - c:\windows\system32\TKWEB.OCX
    O16 -: {2564B8E6-7D84-11D4-A689-30475BC10000}
    hxxp://www.toolkitcma.com/tkweb/tkweb.cab
    c:\windows\Downloaded Program Files\tkweb.inf
    FireFox -: Profile - c:\documents and settings\Joey\Application Data\Mozilla\Firefox\Profiles\ga1jjqz7.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-09 15:19:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(980)
    c:\windows\system32\relog_ap.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\a-squared Free\a2service.exe
    c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\TVersity\Media Server\MediaServer.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-09 15:24:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-12-09 21:23:41
    ComboFix2.txt 2009-12-09 18:11:27

    Pre-Run: 402,229,092,352 bytes free
    Post-Run: 402,157,568,000 bytes free

    302 --- E O F --- 2008-11-12 21:14:48

    Hope I am on the right track. Thanks
  2. 2008-12-10, 00:07 #12
    mkejoey24z
    mkejoey24z is offline
    Member
    Join Date
    Dec 2007
    Posts
    30

    Smile

    Oh I forgot if you wanted the log for the Malwarebytes but here it is anyway just in case:

    Malwarebytes' Anti-Malware 1.31
    Database version: 1456
    Windows 5.1.2600 Service Pack 3

    12/9/2008 4:56:15 PM
    mbam-log-2008-12-09 (16-56-15).txt

    Scan type: Full Scan (C:\|G:\|)
    Objects scanned: 161918
    Time elapsed: 1 hour(s), 21 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 22

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\agadoo (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\nt32int.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\liirhegrpkwv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP544\A0894885.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP545\A0899694.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP545\A0900084.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP546\A0901965.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP546\A0904208.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP547\A0906977.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP548\A0907740.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP548\A0907998.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP550\A0909354.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP550\A0911439.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP557\A0914803.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP557\A0915036.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP560\A0915838.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP561\A0917108.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP539\A0889331.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP539\A0889711.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP564\A0918698.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP564\A0919208.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP542\A0893522.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{85E6A439-580F-4DD1-9159-1F51909486EF}\RP542\A0894056.dll (Trojan.Unclassified) -> Quarantined and deleted successfully.

    First one I did was the viral total scan,then the combofix, then malware and last was the HJT.Once again your help greatly appreciated!
  3. 2008-12-10, 16:08 #13
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Looking better

    Start hjt, do a system scan, check (if found):
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

    Close browsers and fix checked.



    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
c:\windows\system32\jpg.dat
c:\windows\Optimiz.exe

Folder::
c:\windows\system32\din
c:\windows\system32\av

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log & a fresh hjt log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  4. 2008-12-10, 23:13 #14
    mkejoey24z
    mkejoey24z is offline
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    Here is the Combo fix log:

    ComboFix 08-12-07.04 - Joey 2008-12-10 15:50:23.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.314 [GMT -6:00]
    Running from: c:\documents and settings\Joey\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Joey\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\windows\Optimiz.exe
    c:\windows\system32\jpg.dat
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Optimiz.exe
    c:\windows\system32\av
    c:\windows\system32\din
    c:\windows\system32\jpg.dat

    .
    ((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
    .

    2009-12-07 14:04 . 2009-12-07 14:04 <DIR> d-------- c:\program files\Microsoft Silverlight
    2009-12-07 13:32 . 2009-12-07 13:32 <DIR> d-------- c:\program files\Windows Defender
    2009-12-07 12:38 . 2008-12-10 15:47 4,958,588 --a------ c:\windows\{00000002-00000000-00000005-00001102-00000004-00531102}.BAK
    2009-12-05 21:01 . 2009-12-06 21:37 <DIR> d-------- c:\program files\a-squared Free
    2009-12-05 19:14 . 2009-12-09 02:59 <DIR> d--h----- C:\$AVG8.VAULT$
    2009-12-05 19:08 . 2008-12-10 09:38 <DIR> d-------- c:\windows\system32\drivers\Avg
    2009-12-05 19:08 . 2009-12-05 19:08 <DIR> d-------- c:\program files\AVG
    2009-12-05 19:08 . 2009-12-05 19:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2009-12-05 19:08 . 2009-12-05 19:08 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
    2009-12-05 19:08 . 2009-12-05 19:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2008-12-09 15:29 . 2008-12-09 15:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-12-09 15:29 . 2008-12-09 15:29 <DIR> d-------- c:\documents and settings\Joey\Application Data\Malwarebytes
    2008-12-09 15:29 . 2008-12-09 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-12-09 15:29 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-09 15:29 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-11-21 19:43 . 2008-11-21 19:43 <DIR> d-------- c:\program files\iTunes
    2008-11-21 19:43 . 2008-11-21 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-11-12 03:48 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
    2008-11-12 03:48 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-09 17:21 --------- d-----w c:\program files\DVD Stuff
    2009-12-05 23:09 --------- d-----w c:\documents and settings\Joey\Application Data\Ahead
    2009-12-05 21:26 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-12-05 20:57 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-12-05 20:55 --------- d-----w c:\program files\SlySoft
    2009-12-05 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
    2009-12-05 16:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2008-12-05 05:28 --------- d-----w c:\program files\Google
    2008-12-05 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
    2008-12-04 18:55 --------- d-----w c:\program files\ZipForm Desktop
    2008-12-01 04:34 --------- d-----w c:\documents and settings\Joey\Application Data\Vso
    2008-11-29 00:42 --------- d-----w c:\program files\Safari
    2008-11-22 01:43 --------- d-----w c:\program files\iPod
    2008-11-22 01:41 --------- d-----w c:\program files\QuickTime
    2008-11-22 01:40 --------- d-----w c:\program files\Common Files\Apple
    2008-11-18 02:42 --------- d-----w c:\program files\Hooked on Phonics Learning
    2008-11-14 00:01 --------- d-----w c:\documents and settings\Joey\Application Data\uTorrent
    2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-13 21:53 --------- d-----w c:\program files\Picasa2
    2008-01-27 16:56 47,360 ----a-w c:\documents and settings\Joey\Application Data\pcouffin.sys
    2007-07-01 14:26 21,848 ----a-w c:\documents and settings\Joey\Application Data\GDIPFONTCACHEV1.DAT
    2007-11-21 03:28 32 --sha-w c:\windows\{67D268EC-50B8-4632-BC9D-720FB01FECA1}.dat
    2007-11-21 03:28 32 --sha-w c:\windows\system32\{D2C8D8E0-3056-48B9-8AF4-1378908501DF}.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2009-12-09_12.09.06.24 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-03-13 16:57:10 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
    + 2005-10-21 02:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "SMSystemAnalyzer"="c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [2006-12-20 557056]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-05 1261336]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
    "CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]
    "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-07 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
    Kaspersky Anti-Hacker.lnk - c:\program files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe [2006-07-19 2195583]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

    R0 aliidex;aliidex;c:\windows\system32\drivers\aliidex.sys [2007-06-06 7040]
    R0 aliperf;aliperf;c:\windows\system32\drivers\aliperf.sys [2007-06-06 7168]
    R0 Klpf;Klpf;c:\windows\system32\drivers\Klpf.sys [2006-05-11 28979]
    R0 Klpid;Klpid;c:\windows\system32\drivers\Klpid.sys [2006-05-11 36534]
    R0 m5289;m5289;c:\windows\system32\DRIVERS\m5289.sys [2007-06-06 51840]
    R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\DRIVERS\agpkx.sys [2007-06-06 44928]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2009-12-05 97928]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-12-05 231704]
    R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
    R3 ULI5261;ULi Based Ethernet NT Driver;c:\windows\system32\DRIVERS\ULILAN.SYS [2007-06-06 29696]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2008-04-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 11:13]

    2008-12-10 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

    c:\windows\system32\TKUNINST.EXE - c:\windows\system32\TKWEB.OCX
    O16 -: {2564B8E6-7D84-11D4-A689-30475BC10000}
    hxxp://www.toolkitcma.com/tkweb/tkweb.cab
    c:\windows\Downloaded Program Files\tkweb.inf
    FireFox -: Profile - c:\documents and settings\Joey\Application Data\Mozilla\Firefox\Profiles\ga1jjqz7.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-10 16:00:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP000002101F8A4DFC1CE9766C 524288 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(980)
    c:\windows\system32\relog_ap.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\a-squared Free\a2service.exe
    c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\TVersity\Media Server\MediaServer.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-10 16:06:46 - machine was rebooted [Joey]
    ComboFix-quarantined-files.txt 2008-12-10 22:05:32
    ComboFix2.txt 2008-12-09 21:24:54
    ComboFix3.txt 2009-12-09 18:11:27

    Pre-Run: 401,847,762,944 bytes free
    Post-Run: 402,022,256,640 bytes free

    190 --- E O F --- 2008-11-12 21:14:48

    And Here is the new HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:08:46 PM, on 12/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TVersity\Media Server\MediaServer.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} (Tkweb Control) - http://www.toolkitcma.com/tkweb/tkweb.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1181159403687
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/...2/axofupld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
    O24 - Desktop Component 0: (no name) - http://a612.ac-images.myspacecdn.com...8bd334a46b.jpg
    O24 - Desktop Component 1: (no name) - http://rds.yahoo.com/_ylt=A9gnMibTdY...foto/21431.jpg

    --
    End of file - 8889 bytes
  5. 2008-12-11, 15:55 #15
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


    THESE STEPS ARE VERY IMPORTANT

    Let's reset system restore
    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis



    Now lets uninstall ComboFix:
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK



    UPDATING WINDOWS AND INTERNET EXPLORER

    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


    Make your Internet Explorer more secure

    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.



    The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

    • Download SpywareBlaster
      Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
      kill bits
      in the registry, so that certain activex controls can't install.
      If you don't know what activex controls are, see here
      You can download SpywareBlaster here here
      SpywareBlaster tutorial
    • hosts file:
      • Every version of windows has a hosts file as part of them.
      • In a very basic sense, they are used to locate webpages.
      • We can customize a hosts file so that it blocks certain webpages.
      • However, it can slow down certain computers.
      • This is why using a hosts file is optional!!

      Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
      If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
      2. Click the start button (at the lower left hand corner of your screen)
      3. Click run
      4. In the dialog box, type services.msc
      5. hit enter, then locate dns client
      6. Highlight it, then double-click it.
      7. On the dropdown box, change the setting from automatic to manual.
      8. Click ok


    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
      If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).



    Just a final reminder for you. I am trying to stress these two points.
    UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
    Make sure all of your security programs are up to date.
    Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



    Once again, please post and tell me how things are going with your system... problems etc.

    Have a great day,
    Blade
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  6. 2008-12-11, 23:57 #16
    mkejoey24z
    mkejoey24z is offline
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    OK. First of all THANK YOU, THANK YOU, THANK YOU!!! I cannot stress that enough. It looks like everything is working good again.

    Second I went to Windows Update and found 13 updates. Before I tried to do these updates but since my computer was taken over it would not even let me see the updates. I did notice you recommended Spywareblaster and Online armor free. i understood online armor being a firewall correct? but spywareblaster is an Anti virus???? Should I still continue to use spybot and how often and do I let it run all the time or just to do the scans?
    I had a friend tell him was using AVG FREE as anti virus, Windows Defender as ??, and ASQUARED is i take it as another program like spybot. What do you think of these programs and isn't it kind of redundant for some of them?

    Once again Thanks
  7. 2008-12-12, 16:08 #17
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    You're welcome

    i understood online armor being a firewall correct? but spywareblaster is an Anti virus????
    Yes, Online armor is a firewall. However, Spywareblaster isn't antivirus program. It's from malware protecting program and fits in antispyware category.

    Should I still continue to use spybot and how often and do I let it run all the time or just to do the scans?
    I recommend using it. Normally suitable frequency would be once or twice in two weeks.

    I had a friend tell him was using AVG FREE as anti virus, Windows Defender as ??, and ASQUARED is i take it as another program like spybot. What do you think of these programs and isn't it kind of redundant for some of them?
    Both Windows Defender and Asquared are antispyware programs like Spybot. I don't recommend installing more than two antispyware programs in same system. For antivirus and firewall limit is one in same system.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  8. 2008-12-18, 18:06 #18
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules