Help with annoyingly persistant process [Archive]

View Full Version : Help with annoyingly persistant process

Noosentaal

2008-09-28, 20:13

Hi there,

My problem is that my computer minimising any full screen applications that I run which is really irritating! I think the process that is responsible is Vs3aXx78.exe as Avast has already flagged it as a virus and removed it. I've done several scans with Avast, Spybot and Malwarebytes and while they all found and removed problems I'm still getting the minimising thing.

I'd appreciate some help in diagnosing the problem and getting a solution! Please see below for my hijack this log.

Many thanks in advance,

Noosentaal

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:07:55, on 28/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware\aawservice.exe
C:\Avast Antivirus 4\aswUpdSv.exe
C:\Avast Antivirus 4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\AVASTA~1\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Avast Antivirus 4\ashMaiSv.exe
C:\Avast Antivirus 4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VS3aXx78.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\NOKIAP~1\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Acrobat Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Mozilla Thunderbird.lnk = C:\Thunderbird\thunderbird.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res:/C:\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167334026125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167333693312
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast Antivirus 4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast Antivirus 4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast Antivirus 4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast Antivirus 4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5704 bytes

pskelley

2008-10-01, 21:26

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

C:\WINDOWS\system32\VS3aXx78.exe
What does Avast tell you this is? Post the information it provides you.

Make sure you can see all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Upload that file to http://virusscan.jotti.org/ and post the results. Here are two more free scans if jotti is busy.
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks

Noosentaal

2008-10-03, 14:58

Hi there,
Thanks for your reply!

When Avast recognised VS3aXx78 as a virus it said it was:

"Win32:Rootkit-gen [Rtk]"

when it found it I clicked "Move to Chest" and now it doesn't see this file as a virus anymore.

I tried uploading the VS3aXx78.exe file to the website you suggested but because the file size is 0 bytes nothing happened. I recieved this message: "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file." It gave a similar message on the other sites that you suggested.

I uploaded a file called VS3AXX78.EXE-31C74548.pf which I found in my C:\windows\prefetch folder and told it to scan that and it found no viruses.

Here are the two logs that you requested.

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

02/10/2008 14:41:24
mbam-log-2008-10-02 (14-41-24).txt

Scan type: Full Scan (C:\|R:\|)
Objects scanned: 142832
Time elapsed: 1 hour(s), 7 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Symbian OS Tools\SignSIS-GUI_v1.1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{729E7B02-C593-4E49-829E-242EF1F85DC8}\RP384\A0089936.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VS3aXx78.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:48:58, on 03/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Ad-Aware\aawservice.exe
C:\Avast Antivirus 4\aswUpdSv.exe
C:\Avast Antivirus 4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\AVASTA~1\ashDisp.exe
C:\Acrobat Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Avast Antivirus 4\ashMaiSv.exe
C:\Avast Antivirus 4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe
C:\Avast Antivirus 4\setup\avast.setup

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Acrobat Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Mozilla Thunderbird.lnk = C:\Thunderbird\thunderbird.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res:/C:\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167334026125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167333693312
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast Antivirus 4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast Antivirus 4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast Antivirus 4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast Antivirus 4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5775 bytes

pskelley

2008-10-03, 15:29

Thanks for the feedback, looks like MBAM removed the junk, but there are other concerns, let's do this.

1) I would like a look at your uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

(make sure you clean Prefetch since the junk VS3AXX78.EXE-31C74548.pf <<< was showing it may be running from there)
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

6) Update Avast and scan the system, let me know if it finds anything. Post that information along with the uninstall list.

Thanks...Phil

Noosentaal

2008-10-05, 23:14

Hi there,

Sorry its taken me a few days to reply, I havn't been able to sit with my computer long enough for Avast to finish a scan. I finally found the time this afternoon. I only did a standard scan, not a thorough scan so I hope that's sufficient. I did all the other things that you said to do. As I was typing this Avast's on access scanner found another instance of "Win32:Trojan-gen {Other}" in my temp folder - something that it does peridoically while I'm using it.

Thanks for your continued patience and support!

Here is the uninstall list that you requested:

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
avast! Antivirus
Azureus
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
ChemOffice Ultra 2005
Command & Conquer 3
Compatibility Pack for the 2007 Office system
Creative WebCam NX Pro Driver (1.00.06.0512)
Deus Ex
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Farm Frenzy Deluxe
Freedom Force® vs The 3rd Reich
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Intel(R) Extreme Graphics 2 Driver
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Magic ISO Maker v5.3 (build 0221)
Malwarebytes' Anti-Malware
Medieval II Total War
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.1)
Mozilla Thunderbird (2.0.0.17)
MP3 Wav Editor 3.20
MSVC80_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
Oblivion
Oblivion mod manager 1.1.5
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
OriginPro70
PC Connectivity Solution
Pirates of the Caribbean
PowerDVD
PowerISO
Realtek AC'97 Audio
RTPatch Update
Sacred
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Shockwave
SonicStage 4.3
SpellForce 2 - Shadow Wars
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Star Trek Legacy
Symbian Developer Certificate Request
Theme Hospital
Uplink
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinFast(R) Display Driver
WinRAR archiver
Xvid 1.1.3 final uninstall

And here are my Avast logs for today - I ran the scan between approximately 6pm and 8:30pm so anything it found before 6 was found with the on access scanner:

05/10/2008 12:13:53 Roscoe 1608 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Roscoe\LOCALS~1\Temp\26Qom2Y0.exe" file.
05/10/2008 12:15:03 Roscoe 1608 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\77cA7Xpf.dll" file.
05/10/2008 14:15:11 Roscoe 1608 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Roscoe\LOCALS~1\Temp\D3KH3K3e.exe" file.
05/10/2008 15:13:40 Roscoe 1708 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Roscoe\LOCALS~1\Temp\P6068P87.exe" file.
05/10/2008 17:13:56 Roscoe 1708 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Roscoe\LOCALS~1\Temp\Jy8nL6K8.exe" file.
05/10/2008 18:11:56 Roscoe 1712 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Roscoe\LOCALS~1\Temp\iq1kA0A4.exe" file.
05/10/2008 18:16:20 Roscoe 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Roscoe\Local Settings\Temp\iq1kA0A4.exe" file.
05/10/2008 19:00:51 Roscoe 3496 Sign of "Win32:Agent-AWB [Adw]" has been found in "R:\Downloads\Programs\Daemon Tools Setup.exe\$INSTDIR\SetupDTSB.exe\DaemonTools_WhenUSave_Installer.exe" file.
05/10/2008 20:17:48 Roscoe 3496 Sign of "Win32:Agent-AWB [Adw]" has been found in "R:\System Volume Information\_restore{729E7B02-C593-4E49-829E-242EF1F85DC8}\RP2\A0002038.exe\$INSTDIR\SetupDTSB.exe\DaemonTools_WhenUSave_Installer.exe" file.
05/10/2008 20:18:40 Roscoe 1712 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Roscoe\LOCALS~1\Temp\610agipK.exe" file.

pskelley

2008-10-05, 23:54

When you ran ATF-Cleaner, did you choose "Select All" as instructed?
If so that should have cleaned all Temp files, the TIF files and the Prefetch files, yet Avast is finding the junk here:

C:\Documents and Settings\Roscoe\Local Settings\Temp\ <<< navigate to that Temp folder and delete the contents. Click Edit > Select All > hit the Delete Key. Some old Windows files may not delete, but we are interested in all of the recent stuff and you can see the names in the Avast scan.
Once that is done, empty the Recycle Bin on the Desktop and I believe we will have combofix take a look. Let's look at the uninstall list first.

Uninstall list: I look for malware and security issues only.

Adobe Reader 8.1.2 <<< outof date and being exploited by hackers
http://www.filehippo.com/download_adobe_reader/

http://forums.spybot.info/showthread.php?t=282 <<< see this

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Azureus <<< uninstall all p2p programs

Java(TM) 6 Update 6 <<< uninstall see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Spybot - Search & Destroy 1.5.2.20 <<< uninstall the old version

You should look for stuff you no longer use.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

Noosentaal

2008-10-06, 01:41

Hey there,

First things first, I deleted all of the files in the temp folder as you suggested. I did run ATF cleaner with "Select all" checked as you said, I don't know why it didn't work. There were 2 files that didn't delete: "~DF6E3D" and "etilqs_ho7ZNilYbIqmTOrkIfmX" they were, according to Windows, being used by another person or program.

I uninstalled everything that you suggested and downloaded Combofix. In the tutorial that is at the link that you posted it said to install the Windows Recovery Console however in your post you said to just run combofix. I just want to clarify which one I should do - combofix looks like the kind of tool that can break my computer if I do it wrong so I want to make sure I'm doing everything properly before I start!

Cheers!

pskelley

2008-10-06, 01:49

If you do not have a Windows XP CD and you wish to install Recovery Console first, that is fine. That is the way the tutorial from the creator of the tool reads.

Thanks

Noosentaal

2008-10-06, 16:19

Hey there,

I ran combofix, it has removed all of the stuff from my system tray, is that normal? Aslo, I decided not to install the recovery console because I have my XP disk. Here is the combofix log:

ComboFix 08-10-05.08 - Roscoe 2008-10-06 15:01:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1140 [GMT 1:00]
Running from: C:\Documents and Settings\Roscoe\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\racle~1
C:\Program Files\SAV
C:\WINDOWS\fnts~1
C:\WINDOWS\system32\wnscpicomsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE

((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-02 13:19 . 2008-10-02 13:20 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2008-10-02 13:19 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-02 13:19 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-30 13:22 . 2004-08-04 06:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-09-30 13:22 . 2004-08-04 06:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-09-30 13:22 . 2008-09-30 13:22 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-30 13:22 . 2008-09-30 13:22 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-09-30 13:16 . 2008-09-30 13:16 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-09-30 13:16 . 2008-09-30 13:16 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-09-30 13:16 . 2008-09-30 13:16 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-09-30 13:16 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-09-30 13:15 . 2008-09-30 13:16 <DIR> d-------- C:\Nokia PC Suite
2008-09-30 13:15 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-30 13:15 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-09-30 13:15 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-09-30 13:15 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-09-30 13:15 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-09-30 13:15 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-09-30 13:11 . 2008-09-30 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-09-28 19:07 . 2008-10-03 17:41 <DIR> d-------- C:\HijackThis
2008-09-28 14:27 . 2008-09-28 14:27 <DIR> d-------- C:\Documents and Settings\Roscoe\Application Data\Malwarebytes
2008-09-28 14:26 . 2008-09-28 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 18:59 . 2008-09-26 19:07 <DIR> d-------- C:\Ad-Aware
2008-09-26 18:58 . 2008-09-26 18:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 17:14 . 2008-09-24 17:13 30,272 --a------ C:\WINDOWS\system32\Tu1lqc6u.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 23:29 --------- d-----w C:\Program Files\Java
2008-10-05 23:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-30 12:23 --------- d-----w C:\Documents and Settings\Roscoe\Application Data\PC Suite
2008-09-30 12:20 --------- d-----w C:\Documents and Settings\Roscoe\Application Data\Nokia
2008-09-30 12:15 --------- d-----w C:\Program Files\Nokia
2008-09-30 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-09-26 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-24 18:08 138,912 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-24 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:39 22,328 ----a-w C:\Documents and Settings\Roscoe\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - C:\Thunderbird\thunderbird.exe [2007-01-10 8501360]

[HKLM\~\startupfolder\C:^Documents and Settings^Roscoe^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Roscoe\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kyiqujjd]
C:\WINDOWS\F?nts\?ttrib.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 11:48 157592 C:\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 11:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 11:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 11:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2006-11-28 02:12 2658304 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"usnsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"SIDEBAR"="C:\Desktop Sidebar\dsidebar.exe"
"PC Suite Tray"="C:\Nokia PC Suite\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Firefox\\firefox.exe"=
"R:\\Uplink\\uplink.exe"=
"R:\\Sacred\\sacred.exe"=
"R:\\Sacred\\Gameserver.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 SSHDRV65;SSHDRV65;C:\WINDOWS\system32\drivers\SSHDRV65.sys [2007-07-03 120320]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 P1130VID;Creative WebCam NX Pro;C:\WINDOWS\system32\DRIVERS\P1130Vid.sys [2003-05-08 90357]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7126e2c3-969c-11db-998f-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9a48103-72a8-11dc-bcf0-0001803fa654}]
\Shell\Auto\command - F:\autorun.bat
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.bat
\Shell\explore\Command - F:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder

2008-09-27 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-24 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-24 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-24 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-06 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-28 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-01 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-24 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-24 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-05 C:\WINDOWS\Tasks\At49.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-24 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-28 C:\WINDOWS\Tasks\At50.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At51.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At52.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At53.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At54.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At55.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At56.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At57.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At58.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-28 C:\WINDOWS\Tasks\At59.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-24 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-28 C:\WINDOWS\Tasks\At60.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At61.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At62.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At63.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-06 C:\WINDOWS\Tasks\At64.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At65.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At66.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At67.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At68.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At69.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-24 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-10-01 C:\WINDOWS\Tasks\At70.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At71.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-10-05 C:\WINDOWS\Tasks\At72.job
- C:\WINDOWS\system32\VS3aXx78.exe []

2008-09-24 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]

2008-09-24 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Acrobat Assistant 8 - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-PCSuiteTrayApplication - C:\Nokia PC Suite\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-PcSync - C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Roscoe\Application Data\Mozilla\Firefox\Profiles\9ucfx9sp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/ig
FF -: plugin - C:\Acrobat Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - C:\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - C:\Firefox\plugins\np32dsw.dll
FF -: plugin - C:\Firefox\plugins\NPCDP32.DLL
FF -: plugin - C:\Firefox\plugins\npdivx32.dll
FF -: plugin - C:\Firefox\plugins\npDivxPlayerPlugin.dll
FF -: plugin - C:\Firefox\plugins\npnul32.dll
FF -: plugin - C:\Firefox\plugins\NPOFFICE.DLL
FF -: plugin - C:\Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 15:06:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Ad-Aware\aawservice.exe
C:\Avast Antivirus 4\aswUpdSv.exe
C:\Avast Antivirus 4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Avast Antivirus 4\ashMaiSv.exe
C:\Avast Antivirus 4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-10-06 15:12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 14:12:27

Pre-Run: 17,703,776,256 bytes free
Post-Run: 17,604,272,128 bytes free

288 --- E O F --- 2008-09-10 15:17:16

And here is another HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:23, on 06/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware\aawservice.exe
C:\Avast Antivirus 4\aswUpdSv.exe
C:\Avast Antivirus 4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Avast Antivirus 4\ashMaiSv.exe
C:\Avast Antivirus 4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Mozilla Thunderbird.lnk = C:\Thunderbird\thunderbird.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res:/C:\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167334026125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167333693312
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast Antivirus 4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast Antivirus 4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast Antivirus 4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast Antivirus 4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5169 bytes

Thanks! :)

pskelley

2008-10-06, 17:10

Thanks for returning your information and the feedback, have a look here:
http://www.google.com/search?hl=en&q=Tu1lqc6u.exe+&btnG=Search

It is very possible you infected the computer with a USB or Flash Drive, I would not use any that have been in the computer until they are formatted:
http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive
I will remove all mountpoints in case they are infected.

I can't get the first link to open, but the second will do. I have not run into this before, so we are learning together and I have no idea if we can remove the infection, just so you will know.
TU1LQC6U.EXE, Spyware Remove <<< this item has set Scheduled Tasks on the computer, look at the combofix log, this is the first one:
2008-09-27 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\Tu1lqc6u.exe [2008-09-24 17:13]
I count about 48 of those, and I would like to to delete them all like this.

Go to the Scheduled Tasks applet in Control Panel, right-click the task you want to delete, and select Delete from the displayed context menu. Click Yes to confirm the deletion. Be aware that you can't delete tasks you've created with the Task Scheduler Wizard from the command line using the AT command. http://support.microsoft.com/kb/308671

Once that is done, then do this:

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\Tu1lqc6u.exe
C:\WINDOWS\system32\VS3aXx78.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kyiqujjd]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7126e2c3-969c-11db-998f-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9a48103-72a8-11dc-bcf0-0001803fa654}]

Folder::
C:\Documents and Settings\Roscoe\Local Settings\Temp

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please give me a report on the computer's performance at this point.

Thanks

Noosentaal

2008-10-07, 14:19

Hey there,

I reformatted my flash drive and got rid of those scheduled tasks as you suggested.

I ran combofix with the CFScript that you gave me and it appeared to run fine although when it came to giving me a log it just gave me a blank notepad file and notepad had an error message saying something along the lines of "notepad cannot find the file".

In regards to how my computer is running - it seems fine to me. After running combofix all the stuff has gone from the system tray next to the clock. In terms of performance it is no better or worse now than before my infection or at any point during it except of course that full screen applications arn't constantly being minimised. Can I dare to hope that I'm infection free now?

Cheers!

pskelley

2008-10-07, 15:00

Thanks for the feedback, look here: C:\Combofix.txt <<< for the text file, I would really like to see those results.
Once we finished with the malware, I'll have suggestions to perhaps make the computer run better.

Can I dare to hope that I'm infection free now?
Stick with me a bit longer for final checks, this is the next important step.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks...Phil

Noosentaal

2008-10-08, 17:06

Hi Phil,

Don't worry, I'm not going to leave this until you say that everything is fixed! I'll gladly accept any advice, once I'm infection free, about how to tighten security.

I had a hunt around for the C:\Combofix.txt file but its not there and when I searched for it I only found the old log, not the latest one.

I followed the proceedure for the recovery console using the downloaded file from microsoft because it seemed easier than using my CD, I did all that and it gave me this CF-RC log:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Cheers!

pskelley

2008-10-08, 17:17

Good job installing Recovery Console:bigthumb:a little information for you.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Because there was some nasty junk on the computer, I would like to have ESET do a check for us:

* Please run this free online virus scanner from ESET ( http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Let me know about any malware issues.

Thanks...Phil

Noosentaal

2008-10-08, 23:06

Hi Phil,

I uninstalled combofix from my computer and wiped my system restore as requsted. I also ran the Eset scanner, worryingly it found a file with a similar name to the ones we've had problems with in my temp folder. Here is the log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3504 (20081008)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=e901f45f8199aa47939d34bcbf7ff303
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-08 07:45:29
# local_time=2008-10-08 08:45:29 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=293628
# found=3
# scan_time=4485
C:\Documents and Settings\Roscoe\Local Settings\temp\ALXr0164.exe Win32/TrojanDownloader.Firu trojan (unable to clean - deleted) 00000000000000000000000000000000
R:\Downloads\Programs\Nero 7.7.5.1 + KeyGen\Nero 7.7.5.1 + KeyGen.exe Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000
R:\Downloads\Programs\Nero 7.7.5.1 + KeyGen\Nero 7.7.5.1 + KeyGen.exe »RAR »Toolbar.exe Win32/Toolbar.AskSBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

Cheers!

pskelley

2008-10-08, 23:22

Well, that kind of explains why you were infected with so much junk.

R:\Downloads\Programs\Nero 7.7.5.1 + KeyGen\Nero 7.7.5.1 + KeyGen.exe Win32/Toolbar.AskSBar application (deleted)

C:\Documents and Settings\Roscoe\Local Settings\temp\ALXr0164.exe Win32/TrojanDownloader.Firu trojan (unable to clean - deleted)

http://en.wikipedia.org/wiki/Keygen

Programs that generate valid CD keys or serial/registration numbers for a piece of software are also commonly called keygens. These are made available by software cracking groups for free download on various websites dedicated to software piracy. The use of Keygens to activate software without purchasing a genuine code is illegal.
http://forums.spybot.info/forumdisplay.php?f=22

Note:We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.
Good luck

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html