PDA

View Full Version : win32.bho.df and premium search



giulioge
2008-04-01, 23:20
Hi,
I have a problem with my laptop.

It is a toshiba satellite A100-114 with Xp and the windows firewall.
I also Installed Avira Antivir and Spybot.
The problem is:
Spyboot tell me there are two malware win32.BHO.df and Premium search. When I ask to remove them spubot do it, but if i redo the scan they are still there.
If I try to install HJT the installation windowclose himself immediately.
Avira does not find anything.
Many Thanks for any help.
Giulio

Rorschach112
2008-04-03, 21:15
Hello

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

giulioge
2008-04-05, 00:41
Thanks For your answer,
I copied dss on my desktop, seeming it does not work properly; it stops without opening any notepad file and without any message window.
Now the Win.bho.df is not in the spybot’s report it seems spybot fixed it.
Giulio

Rorschach112
2008-04-05, 02:24
Do this then

Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Under Additional Scans check the boxes beside Reg - App Paths, Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check, and File - Purity Scan.
Under Drivers change it to Non-Microsoft.
Check the box beside Scan All User Accounts at the top
Under Files Created Within and Files Modified Within change it to 90 days.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

giulioge
2008-04-05, 23:30
Here is the scan made by ots. (zip file )
Hoping I followed the instruction properly.
Extractcing OTSscanIt Avira told me that it contains this :Virus or unwanted program 'TR/Dldr.Delphi.Gen [TR/Dldr.Delphi.Gen]'
I allowed acces to do the scan.

Rorschach112
2008-04-05, 23:58
Hello

Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Alcmtr -> %SystemRoot%\Alcmtr.exe [ALCMTR.EXE]
YN -> CFSServ.exe -> [CFSServ.exe -NoClient]
YN -> NDSTray.exe -> [NDSTray.exe]
YN -> TFncKy -> [TFncKy.exe]
YN -> tmzzja.exe -> %SystemDrive%\DOCUME~1\GIULIO\IMPOST~1\Temp\tmzzja.exe [C:\DOCUME~1\GIULIO\IMPOST~1\Temp\tmzzja.exe]
< IFEO [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
YY -> explorer.exe -> %SystemRoot%\system32\kbmrheob.gif [Debugger]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{965B54B0-71E0-4611-8DE7-F73FA0B20E26} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\] > -> HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{965B54B0-71E0-4611-8DE7-F73FA0B20E26} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
[Registry - Additional Scans - Non-Microsoft Only]
< App Paths [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
YN -> combofix.exe -> F:\New Folder (2)\ComboFix.exe [Reg Error: Value Path does not exist or could not be read.]
[Files/Folders - Created Within 90 days]
NY -> ComboFix -> %SystemDrive%\ComboFix
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
[Files/Folders - Modified Within 90 days]
NY -> ComboFix -> %SystemDrive%\ComboFix
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.



[u]CLICK HERE (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download the HijackThis Installer:

Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
Come back here to this thread and paste the log in your next reply.
Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

giulioge
2008-04-06, 00:28
Hi,
Here there is the log of OTScanit.
When I try to open the link of HJT, my browser ( Mozilla or Explorer both) suddenly crash.
So I wasn't able to do the HJT scan.
Many Thanks for your help
Giulio

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Alcmtr deleted successfully.
C:\WINDOWS\Alcmtr.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CFSServ.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NDSTray.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TFncKy deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tmzzja.exe deleted successfully.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\ .
File move failed. C:\WINDOWS\system32\kbmrheob.gif scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{965B54B0-71E0-4611-8DE7-F73FA0B20E26} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\ not found.
Registry value HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{965B54B0-71E0-4611-8DE7-F73FA0B20E26} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}\ not found.
Registry value HKEY_USERS\S-1-5-21-66344188-2300565085-3021461925-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe\ deleted successfully.
[Files/Folders - Created Within 90 days]
C:\ComboFix folder moved successfully.
C:\VundoFix Backups folder moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\ComboFix not found!
File C:\VundoFix Backups not found!
[Empty Temp Folders]
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.9.0 fix logfile created on 04052008_231138

Rorschach112
2008-04-06, 00:30
Hello

Please download RUNSCANNER (http://www.runscanner.net/download.aspx) to your desktop and run it.

When the first page comes up select Beginner Mode
On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.

giulioge
2008-04-06, 01:06
Here is the first paart of the file, i had to split in two using winzip because teh max size for files is 97 Kb.

giulioge
2008-04-06, 01:08
Here is the second part inside a zip file. I'm sorry for the complicated system, I couldn't find anything better.
Many thanks

Rorschach112
2008-04-06, 01:18
Hello

Download the zipped attachment (this will be your runscanner as fixed by me)

http://www.mediafire.com/?b5rccbjztzy

Unzip it to your desktop then double click the runscanner icon this will run the program.
Click on the "Item Fixer" tab
You will notice several entries with a tick in red, click Fix checked.
Accept the warning then repeat until they are all gone.



Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

giulioge
2008-04-06, 12:28
Here is the report of kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 06, 2008 11:24:17 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 685957
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 107148
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:43:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Support\MPLog-03012008-224602.log Object is locked skipped
C:\Documents and Settings\GIULIO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\GIULIO\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\cert8.db Object is locked skipped
C:\Documents and Settings\GIULIO\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\history.dat Object is locked skipped
C:\Documents and Settings\GIULIO\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\key3.db Object is locked skipped
C:\Documents and Settings\GIULIO\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\parent.lock Object is locked skipped
C:\Documents and Settings\GIULIO\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\search.sqlite Object is locked skipped
C:\Documents and Settings\GIULIO\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Microsoft\Windows Defender\FileTracker\{06997457-533E-44CF-8BB5-6A9D7D890A9C} Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\00581hyq.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\GIULIO\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\GIULIO\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\GIULIO\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017 Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso ISOimage: infected - 3 skipped
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar/s1f176B.exe Infected: Email-Worm.Win32.Drefir.e skipped
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar/hHcWnnt.exe Infected: Email-Worm.Win32.Drefir.e skipped
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar/mKG5FvH.exe Infected: Email-Worm.Win32.Drefir.e skipped
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar/IgN4Bcm.exe Infected: Email-Worm.Win32.Drefir.e skipped
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar RAR: infected - 4 skipped
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar CryptFF.b: infected - 4 skipped
C:\System Volume Information\_restore{1A5159F7-F181-4BF0-88FD-A98A8B465AEA}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5BA245A4-860B-436E-B33D-9DD151ACB4F6}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{90C4DA1D-7683-420F-A74F-113C6D1464C2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kbmrheob.gif Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Rorschach112
2008-04-06, 14:48
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Then can you try run HijackThis again and tell me how your PC is running

giulioge
2008-04-06, 22:57
Hi
I copied the lines in the area under the yellow stripe. When I run OTmoveit, a error window reporting :INVALID TIME FLAG! [DATA0017] MUST BE NUMERICAL.
After this all the icons and the bars disappear on my desktop.
In the result window of OTmoveit I can read:
Explorer killed successfully
< C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017 >
I have to restart the PC using Task manager if I want to see the tart button the Icons etc.
When I try to execute the HJT install it doesn't work and close the installation window. ( I used another PC to download the HJTT setup).

Rorschach112
2008-04-07, 00:50
Hello

Delete these files in bold if present

C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017

C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar


Then tell me how your PC is running

giulioge
2008-04-07, 22:53
Hi,
I deleted the two files:
C:\Programmi\eMule\Incoming\[Solidworks 2007] - Cosmos 2007 license.rar
C:\Programmi\eMule\Incoming\Nero 8 Ultra Edition V 8.0.3.0 Multilanguage -Zwtiso (Osloskop).iso
And empttied the recycle bin.
I'm not still able to run HJT install and Spybot tell me that the Premium Search is still present.

Rorschach112
2008-04-08, 01:07
Can you post the Spybot log here ?

How is your PC running besides that

giulioge
2008-04-08, 08:13
Hi
Here is the report of Spybot.
My pc is running well as far as I can see.
But I can't install HJT because it close the window when I try to install it.
Other strange thing is Spybot that still see Premium search

--- Search result list ---
PremiumSearch: [SBI $A27BCAFD] Impostazioni (Valore di registro, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger

Common Dialogs: History (4 files) (Chiave di registro, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Shutdown: System32\wbem\logs\wbemess.log (File di backup, fixed)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Cookie: Cookie (1) (Cookie, fixed)


Cache: Cache (34) (Cache, fixed)


History: Cronologia (6) (Cronologia, fixed)


Cookie: Cookie (13) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-27 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-02 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-04-02 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-04-02 Includes\DialerC.sbi (*)
2008-04-02 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-04-02 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-04-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-04-02 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-04-02 Includes\PUPSC.sbi (*)
2008-04-02 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-02 Includes\SecurityC.sbi (*)
2008-04-02 Includes\Spybots.sbi (*)
2008-04-02 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-04-02 Includes\Trojans.sbi (*)
2008-04-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB930494)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Media Center 2005 / SP3: Windows XP Media Center Edition 2005 KB888316
/ Media Center 2005 / SP3: Windows XP Media Center Edition 2005 KB894553
/ Media Center 2005 / SP3: Windows XP Media Center Edition 2005 KB895678
/ Media Center 2005 / SP3: Aggiornamento cumulativo 1 per Windows XP Media Center Edition 2005 (KB873369)
/ Media Center 2005 / SP4: Aggiornamento cumulativo 2 per Windows XP Media Center Edition 2005
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 10: Aggiornamento per Windows Media Player 10 (KB913800)
/ Windows Media Player 10: Aggiornamento della protezione per Windows Media Player 10 (KB917734)
/ Windows Media Player 10: Aggiornamento per Windows Media Player 10 (KB926251)
/ Windows Media Player 10: Aggiornamento della protezione per Windows Media Player 10 (KB936782)
/ Windows Media Player 11: Aggiornamento della protezione per Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Aggiornamento rapido per Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Aggiornamento della protezione per Windows Media Player 6.4 (KB925398)
/ Windows XP: Aggiornamento della protezione per Windows XP (KB923689)
/ Windows XP: Aggiornamento della protezione per Windows XP (KB941569)
/ Windows XP / SP0: Aggiornamento della protezione per Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Aggiornamento della protezione per Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Aggiornamento della protezione per Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB873339
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB884018
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB885250
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB885835
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB885836
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB885855
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB886185
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB887472
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB888113
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB888302
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB888622
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB888795)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB889673
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB890046)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB890546
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB890859
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB891593)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB891781
/ Windows XP / SP3: Aggiornamento rapido per Windows XP - KB893056
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB893357)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB894391)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB894871)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB896243)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB896256)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB896358)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB896422)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB896423)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB896424)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB896428)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB898461)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB899337)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB899510)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB899587)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB899589)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB899591)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB900485)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB900725)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB901017)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB901214)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB902400)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB902841)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB904706)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB904942)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB905414)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB905749)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB908519)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB908531)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB910437)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB910728)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB911280)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB911562)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB911567)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB911927)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB912919)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB913580)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB914388)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB914389)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB916281)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB916595)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB917332)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB917344)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB917953)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB918118)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB918439)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB919007)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB920213)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB920670)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB920683)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB920685)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB920872)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB921503)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB922582)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB922819)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB923191)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB923414)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB923980)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB924191)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB924270)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB924496)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB924667)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB926255)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB926436)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB927779)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB927802)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB927891)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB928255)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB928843)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB929123)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB929969)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB930178)
/ Windows XP / SP3: Microsoft .NET Framework 1.0 Hotfix (KB930494)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB930916)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB931261)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB931784)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB931836)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB932168)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB933360)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB933566)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB933729)
/ Windows XP / SP3: Aggiornamento rapido per Windows XP (KB935448)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB935839)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB935840)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB936021)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB936357)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB937143)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB937894)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB938127)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB938828)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB938829)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB939653)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB941202)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB941568)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB941644)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB942615)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB942763)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB942840)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB943055)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB943460)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB943485)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB944533)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB944653)
/ Windows XP / SP3: Aggiornamento della protezione per Windows XP (KB946026)
/ Windows XP / SP3: Aggiornamento per Windows XP (KB946627)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"

Rorschach112
2008-04-08, 19:22
No need to worry

Your logs are clean ! We need to do a few things


Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

Rorschach112
2008-04-13, 02:23
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.