PDA

View Full Version : DR/Hupigon.dsx.914 dropper virus? (Resolved)



johntee
2009-07-08, 08:28
Hi. I had a problem on my Toshiba laptop with a DR/Hupigon.dsx.914 dropper virus. I posted and started getting kind help a few weeks ago from PSKelley at
http://forums.spybot.info/showthread.php?p=318315#post318315
(which has now been archived)
but shortly after we started the process of disinfecting my computer, things rapidly went bad (whether from the virus, or the disinfecting software, or a failing hard drive, I don't know)... When I began running MalwareBytes as suggested, it never got to complete itself, it kept rebooting in the Scan phase (never got to the Fix phase). A short time later, I got the Blue Screen of Death, and Windows XP eventually wouldn't even boot up (even with the Toshiba Recovery CD in there).

Well now I'm back and running with a new hard drive (in case the bootup problems were stemming from a failing drive), and a restored backup from January (so, nice and clean pre-virus). (I use Casper XP for my backups.)

I want to disinfect the old hard drive, so I can safely retrieve the data that's on there since January. So now I'm in the position of being able to run the disinfecting on the old drive attached as an external drive (which I'm hoping may help ease the disinfecting since the operating system will be coming off another drive).

What should I do before I attach the virus-laden drive to the restored PC? I want to be sure I don't immediately infect the restored PC, if possible.
Then hopefully someone can guide me in flushing out the nasties.

Thanks for your help, again!!
John

katana
2009-07-10, 01:09
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Are you connecting the old drive via USB ?

johntee
2009-07-10, 07:42
Yes, it will be connected via USB. Windows XP, if that matters at all.
Thanks!

katana
2009-07-10, 13:14
----------------------------------------------------------------------------------------
Step 1

USBNoRisk

Please download USBNoRisk (http://amf.mycity.co.yu/personal/bobby/USBNoRisk/usbnorisk.exe) to your Desktop and run it by double-clicking the program's icon
wait a couple of seconds for initial scan to be done
connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
if there are more USB storage devices to scan, please take a note about the order in which these were connected
after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

----------------------------------------------------------------------------------------
Step 2

Make sure your old hard drive is connected before the next step

----------------------------------------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Kaspersky log

johntee
2009-07-11, 18:55
Hi. Here's the log file from USBnorisk.
Is the crazy circus music normal?? :)

I left USBnorisk running while I did Step 2 and 3 (since you didn't say to close it).


USBNoRisk 2.4 (1 June 2009) by bobby

Started at 7/11/2009 11:42:59 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {27a42570-fe10-11d7-8205-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 27a42570-fe10-11d7-8205-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 7/11/2009 11:43:38 AM

Scanning for connected USB mass storage...
----------------------------------------
E: {67e469a2-6e2d-11de-9673-00038a000015}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for E:
Sanitized mountpoint for 67e469a2-6e2d-11de-9673-00038a000015
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================

katana
2009-07-11, 22:53
Is the crazy circus music normal?? :)

Ha ! .... I'd never heard that before, I don't usually have the sound turned up on my lappy :lol:

Do you have the Kaspersky log ?

johntee
2009-07-12, 02:17
Kaspersky is still running its scan (41% after about 5 hours, but it did get delayed by a "sighting" by my Avira AntiVir Guard software, which had flagged:
A virus or unwanted program was found!
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.DLL
Contains recognition pattern of the ADSPY/Wheaterbug.A adware or spy ware.

I chose DENY ACCESS, and it continued the scan.

(I don't think Kaspersky flagged that (maybe because I clicked Deny Access) -- the Threat Names count stayed at 2, and the Infected Objects count stayed at 4.)

I'll post the log once it's done, but I suspect it will be tomorrow or very late tonight...
Thanks!
John

johntee
2009-07-12, 08:25
hmmm, not sure what to make of this...
I let Kaspersky continue its scan, and after 10 hours it was at at least 53% through. It had gotten all the way through the C:\ drive, and had started on the E:\ external USB drive, which is largely the same as C: except E: has several recent months of changes.

At one point while I was away from the computer, it rebooted. I checked the System Event Log and found the following:


Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. Source = EventLog. EventID = 6009.
then: The Event log service was started. Source = EventLog. EventID = 6005.
then: The computer has rebooted from a bugcheck. The bugcheck was: 0x10000050 (0xe62bf294, 0x00000000, 0x804f408a, 0x00000002). A dump was saved in: C:\WINDOWS\Minidump\Mini071209-01.dmp.
Source = Save Dump. EventID = 1001.

I tried to open the .dmp file in WordPad, but it showed unintelligible characters. I don't know if you could retrieve something from it that would help you figure out what happened.

During Kaspersky's scan, my Avira AntiVir Guard program gave 3 messages --

C:\Program Files\AWS\Weatherbug\Transporter.DLL, which contained ADSPY/Wheaterbug.A virus pattern.
C:\Windows\cpbrkpie.ocx, which contained ADSPY/Coupon.H virus pattern.
E:\Program Files\AWS\Weatherbug\Transporter.DLL, which contained ADSPY/Wheaterbug.A virus pattern.


I wasn't able to find any log file with the Kaspersky results. It had found 2 Threat Names, and 4 Infected Objects (pretty early on in the scan, because those numbers stayed the same for the bulk of the scan time.)

Thanks!
John

katana
2009-07-12, 17:53
**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.


Please run the Kaspersky scan again, but do the drives separately.
Scan C: post the report
Then scan E: and post the report

That should speed things up.

johntee
2009-07-14, 16:11
well, it happened again --
About 49 minutes into Kaspersky's scan of just the C:\ drive, it rebooted and in the System Event Log I see the same message (although with different offset addresses than last attempt):
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000004e (0x00000099, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\WINDOWS\Minidump\Mini071209-03.dmp.

Is this virus-related? The laptop with brand new hard drive + backup from January had seemed stable previously (although I didn't use it much), before I hooked up the USB with the virus-laden drive (with USBnorisk running).

(Prior to the attempt to run Kaspersky's, I had gotten a Blue Screen while in IE, that said something like PAGE FAULT IN NON-PAGED AREA. I rebooted and it seemed better (but with lots of heavy disk activity at startup).
When I tried running Kaspersky's after that, it gave me a "starting Java applet failed. Go online to run." I rebooted, and got a "LSASS.EXE application failed to initialize properly (OXC000005)" on reboot. Seemed to hang on a black screen after I click OK to Terminate. I had to force-shut it down (power button).)

Thanks!
John

katana
2009-07-14, 19:45
Is this virus-related?

I doubt it,
It will just be a zipped file or something that Kaspersky is choking on.

Just scan the E: drive, as that is the one we are interested in :)

johntee
2009-07-19, 19:20
OK, will scan the E: drive and let you know the results as soon as it's finished.

Thanks,
John

johntee
2009-07-20, 06:06
OK, here's what it showed for the E:\ drive scan, but I suspect it's actually not a complete scan. I saw it as high as about 25% after 3-4 hours, and around that time I followed a link to a website, which, although it opened in a separate tab, coincided with the "completion" of the scan.
So unless the progress percentage is not accurate (3-4 hours for 25%, then mere minutes for the other 75%), I suspect it didn't actually complete the scan of the drive (although it says it did). I'm going to start the scan again to be sure, but thought I'd post the one item it found in the first scan --


KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 19, 2009 23:24:56
Records in database: 2496969


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
E:\

Scan statistics
Files scanned 77494
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 03:48:57

File name Threat name Threats count
E:\Program Files\RecentFilesViewer\RecentFilesView.exe Infected: not-a-virus:PSWTool.Win32.WinPassViewer.k 1

The selected area was scanned.

katana
2009-07-20, 13:21
(3-4 hours for 25%, then mere minutes for the other 75%),

It's possible.

That looks fine :)
Let me know how the new scan goes.

johntee
2009-07-20, 16:47
Yeah, I think the progress meter is just not accurate as to time... It must have been just coincidence that it ended just when I opened that other webpage last night. I let it run again overnight, and it took almost the same time with same result --


KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 20, 2009 04:27:38
Records in database: 2498217


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
E:\

Scan statistics
Files scanned 77494
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 03:54:00

File name Threat name Threats count
E:\Program Files\RecentFilesViewer\RecentFilesView.exe Infected: not-a-virus:PSWTool.Win32.WinPassViewer.k 1

The selected area was scanned.



P.S. I think I found the source of my laptop's recent instability -- I may have had a failing RAM memory module. I'd upgraded RAM months and months ago, with no problems, but the recent Bugchecks seemed to point to RAM. I downgraded back to the original sticks, and it's been running without incident for 15+ hours. Now I should be able to follow whatever instructions to clean out the virus/spyware... Thanks!
John

katana
2009-07-20, 21:53
Nothing to worry about there, you can get your data off that drive safely and then delete the old system folders that aren't needed now :)

Are there any other problems or questions ?

johntee
2009-07-21, 19:00
Are there other detection programs I can run, because my Avira Anti-Vir had detected the Dr/Hupigon virus, and MalwareBytes had found some infected files (during a scan it could never complete, probably due to the failing RAM), and my Yahoo account password had been compromised and used to send spam.

Thanks!
John

katana
2009-07-21, 21:05
You didn't mention any of this, I thought we were just checking the old drive !


Malwarebytes' Anti-Malware
I notice that you have MBAM installed, please do the following

Start MalwareBytes AntiMalware

Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update

When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)

johntee
2009-07-22, 07:44
Should I have USBnorisk running while I do the other checks you recommended?

katana
2009-07-22, 13:11
No need, it has already stopped the autorun feature.

johntee
2009-07-22, 20:09
I don't have to run USBnorisk even once now, even after having turned the computer off since the last time it was run?

Any viruses should be on E:\ drive (unless they spread once I attached E:\ to the laptop). The C:\ drive was restored from a backup from January, when I believe everything was clean.

katana
2009-07-22, 22:09
I don't have to run USBnorisk even once now, even after having turned the computer off since the last time it was run?


Correct :)

johntee
2009-07-26, 04:48
Here is the log file from MalwareBytes' scan --


Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 5.1.2600 Service Pack 3

7/25/2009 9:45:33 PM
mbam-log-2009-07-25 (21-45-33).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 345105
Time elapsed: 11 hour(s), 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/WINDOWS/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
c:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
c:\WinOrg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WinRAR_UnPackerInstallation.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\winzip110.exe (Trojan.Agent) -> Quarantined and deleted successfully.

johntee
2009-07-26, 06:17
Two things --
After I had MalwareBytes remove the infected files and I allowed it to reboot, Windows didn't reboot successfully (on the first attempt) -- it said: "We apologize for the inconvenience but Windows did not start successfully." I chose Normal Startup for the re-try, and it did reboot that time.

Then I tried to run ComboFix, following the instructions about turning off anti-virus and even the Windows firewall. I use Avira Antivir PersonalEdition. I disabled it from the system tray just as the directions said. When I ran ComboFix though, it gave me a warning that it had detected real time scanners and it listed Antivir PersonalEdition about 6 times.

I then stopped AVGNT.EXE from the Task Manager, and AVGUARD.EXE via Service.msc (because it wouldn't let me stop it from Task Manager -- access denied messages). I can't find anywhere now that Avira is running, but ComboFix is still giving me 6 warning lines when I try to run it.

(I cancelled out of ComboFix at the Disclaimer page, since the only response to the anti-virus warning messages is "OK".)

What anti-vir is it finding, and how can I delete them? Is the 6 lines of warning indicative of multiple instances of the AntiVir running?

Oh and one more question --is this message: "Caution - ComboFix.exe may be downloaded from any of the above sites. If you have downloaded from some other site, there's a likely chance that it may be tainted. For peace of mind, I suggest that you delete the current copy and get a fresh one."
a message everyone gets, or is it an indication that I actually need to re-download it? I had used the link in your previous message to download ComboFix.

Thanks!
John

katana
2009-07-26, 11:43
1) What anti-vir is it finding, and how can I delete them? Is the 6 lines of warning indicative of multiple instances of the AntiVir running?

2) --is this message: ~ a message everyone gets, or is it an indication that I actually need to re-download it? I had used the link in your previous message to download ComboFix.

1) Security programs are notoriously difficult to stop, and most of the time that is a good thing :)
Use the instructions for AVIRA ANTIVIR on this page
http://www.bleepingcomputer.com/forums/topic114351.html

That will disable it sufficiently, if Combofix still detects Avira you can ignore the warning.

2) That is a standard message, if you used the link I posted then you are fine.

johntee
2009-07-26, 18:44
And here's the ComboFix log.

(I noticed at least one weird entry -- hxxp://rick.viewnetcam.com:81/kxhcm10.ocx
I also noticed alot of extra programs mentioned that I'd love to disable from the Startup -- Itunes helper,
Adobe Reader, etc. -- to speed up my PC.
There's also a mention of Symantec NetDetect, which I don't think I use -- I use Avira.
I had started using Selective Startup to prune out some of these, but I'd been told
to switch back to Normal Startup for diagnosing/treating the virus infection.)

Thanks!
John

======================================
ComboFix 09-07-25.06 - newJohn 07/26/2009 10:50.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.151 [GMT -4:00]
Running from: c:\documents and settings\newJohn\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00FC-0D24-347CA8A3377C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1390067357-764733703-839522115-1003
c:\recycler\S-1-5-21-3010599806-841414442-3136671617-1003
c:\windows\Installer\3f482.msp
c:\windows\Installer\51dcb2.msp

.
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\newJohn\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:01 . 2009-07-19 18:53 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-07-19 17:31 . 2009-07-19 18:00 17815040 ----a-w- C:\dbg_x86_6.11.1.404.msi
2009-07-19 16:37 . 2009-07-19 16:37 -------- d-----w- C:\WindowsMemoryDiagnostic
2009-07-19 16:36 . 2009-07-19 16:36 654920 ----a-w- C:\mtinst.exe
2009-07-11 15:24 . 2009-07-20 13:50 -------- d-----w- C:\USBNoRisk
2009-07-11 15:17 . 2009-07-11 15:17 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-07-06 06:03 . 2009-06-18 03:22 30075904 ----a-w- C:\avira_antivir_personal_en.exe
2009-07-06 05:47 . 2009-07-06 05:42 1572864 ---ha-w- c:\documents and settings\newJohn\BackupCopy of NTUSER.DAT
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\HP
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\King Stairs
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\InstallShield
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Lavasoft
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Konrad Papala
2009-07-06 05:24 . 2008-08-17 22:47 13505768 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2009-07-06 05:24 . 2007-04-19 23:11 1214696 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-06 05:24 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasher
2009-07-06 05:24 . 2009-07-06 05:38 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasherPro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\Quick To-Do Pro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\PDF reDirect
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\NwDocx
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\MyPublisher
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\RhinoSoft.com
2009-07-06 05:22 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\StumbleUpon
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\soft-evolution
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\SmartFTP
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\vlc
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\uTorrent
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\Template
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo! Messenger
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo!
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\WinOrganizer
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\U3
2009-07-06 05:13 . 2009-07-06 05:30 -------- d-----w- c:\documents and settings\newJohn\Application Data\FaxCtr
2009-07-06 05:12 . 2008-11-29 01:25 67240 ----a-w- c:\documents and settings\newJohn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:18 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-06 04:18 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-06 04:18 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-06 04:18 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-06 04:18 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-06 04:18 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-06 04:18 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-06 04:18 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-06 04:18 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-06 04:18 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-06 04:11 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 04:11 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 04:11 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-06 04:11 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\program files\Avira
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-06 04:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-06 04:09 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-06 03:38 . 2009-07-06 03:38 67240 ----a-w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 03:30 . 2009-07-06 03:30 -------- d-----w- c:\documents and settings\John Trojnacki\Application Data\FaxCtr
2009-07-06 03:26 . 2009-07-06 03:26 -------- d-----w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Application Data\FaxCtr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 14:37 . 2008-11-01 00:10 -------- d-----w- c:\program files\Swift To-Do List
2009-07-14 12:53 . 2009-07-14 12:53 16384 ----a-w- c:\windows\~DFB0C6.tmp
2009-07-06 03:26 . 2006-12-14 01:45 -------- d-----w- c:\program files\Lx_cats
2009-07-02 02:01 . 2006-03-19 21:25 -------- d-----w- c:\program files\Future Systems Solutions
2009-05-07 15:32 . 2003-08-12 17:07 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-12-02 20:12 . 2008-12-20 03:01 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"SwiftToDoList"="c:\program files\Swift To-Do List\Swift To-Do List.exe" [2008-08-01 1462272]
"NBJ"="c:\progra~1\Nero\NERO7~1\NEROBA~1\NBJ.exe" [2005-10-11 1961984]
"DW6"="c:\progra~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-17 253952]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]

c:\documents and settings\newJohn\Start Menu\Programs\Startup\
Evernote.lnk - c:\program files\Evernote\Evernote3\EvernoteTray.exe [2008-10-31 350144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\TOSHIBA\\Ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQVideoChat75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R2 MSSQL$ENCOREPRO;MSSQL$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlservr.exe [5/4/2005 12:04 AM 9158656]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/6/2009 12:11 AM 108289]
S2 mrtRate;mrtRate; [x]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/21/2004 3:49 PM 26488]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [4/23/2001 2:23 PM 98073]
S3 SQLAgent$ENCOREPRO;SQLAgent$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 TTIUSB;TTIUSB;c:\windows\system32\drivers\2800.sys [5/26/2007 1:55 PM 39448]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2004-01-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-12 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVGCtrl - c:\program files\AVPersonal\AVGNT.EXE
HKLM-Run-RCHotKey - c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 127.0.0.1:8088
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: StumbleUpon: &Blog This - StumbleUponIEBar.dll/blogimage
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: stumbleupon.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://rick.viewnetcam.com:81/kxhcm10.ocx
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 11:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-26 11:27
ComboFix-quarantined-files.txt 2009-07-26 15:26

Pre-Run: 102,408,613,888 bytes free
Post-Run: 102,790,471,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

219

katana
2009-07-26, 21:25
I'll give you a link for Winpatrol shortly
It is an excellent program to manage your startups.


Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



http://forums.spybot.info/showthread.php?p=324562#post324562
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Driver::
mrtRate

Suspect::
c:\windows\system32\drivers\2800.sys
File::
c:\windows\Tasks\Symantec NetDetect.job
DDS::
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://rick.viewnetcam.com:81/kxhcm10.ocx

ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------------------------------------

johntee
2009-07-27, 01:55
(I didn't limit you to just looking for the few lines that looked inappropriate to me, right? Just that Symantec and rick-cam jumped out at me...)


ComboFix 09-07-25.08 - newJohn 07/26/2009 17:39.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.230 [GMT -4:00]
Running from: c:\documents and settings\newJohn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\newJohn\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00FC-0D24-347CA8A3377C}

FILE ::
"c:\windows\Tasks\Symantec NetDetect.job"

file zipped: c:\windows\system32\drivers\2800.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\Symantec NetDetect.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\newJohn\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:01 . 2009-07-19 18:53 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-07-19 17:31 . 2009-07-19 18:00 17815040 ----a-w- C:\dbg_x86_6.11.1.404.msi
2009-07-19 16:37 . 2009-07-19 16:37 -------- d-----w- C:\WindowsMemoryDiagnostic
2009-07-19 16:36 . 2009-07-19 16:36 654920 ----a-w- C:\mtinst.exe
2009-07-11 15:24 . 2009-07-20 13:50 -------- d-----w- C:\USBNoRisk
2009-07-11 15:17 . 2009-07-11 15:17 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-07-06 06:03 . 2009-06-18 03:22 30075904 ----a-w- C:\avira_antivir_personal_en.exe
2009-07-06 05:47 . 2009-07-06 05:42 1572864 ---ha-w- c:\documents and settings\newJohn\BackupCopy of NTUSER.DAT
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\HP
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\King Stairs
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\InstallShield
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Lavasoft
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Konrad Papala
2009-07-06 05:24 . 2008-08-17 22:47 13505768 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2009-07-06 05:24 . 2007-04-19 23:11 1214696 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-06 05:24 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasher
2009-07-06 05:24 . 2009-07-06 05:38 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasherPro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\Quick To-Do Pro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\PDF reDirect
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\NwDocx
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\MyPublisher
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\RhinoSoft.com
2009-07-06 05:22 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\StumbleUpon
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\soft-evolution
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\SmartFTP
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\vlc
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\uTorrent
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\Template
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo! Messenger
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo!
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\WinOrganizer
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\U3
2009-07-06 05:13 . 2009-07-06 05:30 -------- d-----w- c:\documents and settings\newJohn\Application Data\FaxCtr
2009-07-06 05:12 . 2008-11-29 01:25 67240 ----a-w- c:\documents and settings\newJohn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:18 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-06 04:18 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-06 04:18 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-06 04:18 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-06 04:18 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-06 04:18 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-06 04:18 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-06 04:18 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-06 04:18 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-06 04:18 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-06 04:11 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 04:11 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 04:11 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-06 04:11 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\program files\Avira
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-06 04:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-06 04:09 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-06 03:38 . 2009-07-06 03:38 67240 ----a-w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 03:30 . 2009-07-06 03:30 -------- d-----w- c:\documents and settings\John Trojnacki\Application Data\FaxCtr
2009-07-06 03:26 . 2009-07-06 03:26 -------- d-----w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Application Data\FaxCtr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 22:20 . 2008-11-01 00:10 -------- d-----w- c:\program files\Swift To-Do List
2009-07-14 12:53 . 2009-07-14 12:53 16384 ----a-w- c:\windows\~DFB0C6.tmp
2009-07-06 03:26 . 2006-12-14 01:45 -------- d-----w- c:\program files\Lx_cats
2009-07-02 02:01 . 2006-03-19 21:25 -------- d-----w- c:\program files\Future Systems Solutions
2009-05-07 15:32 . 2003-08-12 17:07 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-12-02 20:12 . 2008-12-20 03:01 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-26_15.19.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-26 22:11 . 2009-07-26 22:11 16384 c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"SwiftToDoList"="c:\program files\Swift To-Do List\Swift To-Do List.exe" [2008-08-01 1462272]
"NBJ"="c:\progra~1\Nero\NERO7~1\NEROBA~1\NBJ.exe" [2005-10-11 1961984]
"DW6"="c:\progra~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-17 253952]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]

c:\documents and settings\newJohn\Start Menu\Programs\Startup\
Evernote.lnk - c:\program files\Evernote\Evernote3\EvernoteTray.exe [2008-10-31 350144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\TOSHIBA\\Ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQVideoChat75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/6/2009 12:11 AM 108289]
R2 MSSQL$ENCOREPRO;MSSQL$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlservr.exe [5/4/2005 12:04 AM 9158656]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/21/2004 3:49 PM 26488]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [4/23/2001 2:23 PM 98073]
S3 SQLAgent$ENCOREPRO;SQLAgent$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 TTIUSB;TTIUSB;c:\windows\system32\drivers\2800.sys [5/26/2007 1:55 PM 39448]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 127.0.0.1:8088
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: StumbleUpon: &Blog This - StumbleUponIEBar.dll/blogimage
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: stumbleupon.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\lxcecoms.exe
c:\program files\WinZip\WZQKPICK.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-26 18:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 22:33
ComboFix2.txt 2009-07-26 15:27

Pre-Run: 102,816,759,808 bytes free
Post-Run: 102,603,636,736 bytes free

232

katana
2009-07-27, 10:33
(I didn't limit you to just looking for the few lines that looked inappropriate to me, right?

Not at all :)


Please Submit a file

Please open LINK >>> THIS PAGE (http://www.bleepingcomputer.com/submit-malware.php?channel=4) <<<LINK in a new window.


In the box marked Link to topic where this file was requested: please put this text

http://forums.spybot.info/showthread.php?p=324644#post324644

Click the Browse button and navigate to C:\Qoobox\Quarantine\
There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denote Date and time stamp )
Select this file and click Open

In the Largest box please put

File Requested By Katana
Failed Submit

Finally click SendFile


----------------------------------------------------------------------------------------

Download Winpatrol (http://www.winpatrol.com) It is an excellent startup manager and then some !!

Install Winpatrol, and when running click on the Startup Programs tab
You can use this to disable any programs you don't need.


How are things running now, any problems still ?

johntee
2009-07-27, 17:24
OK, I uploaded the Quarantine file as requested.

The computer's been running stable (slow though) since I swapped out the failing RAM memory sticks before we started disinfecting. (Although I haven't used it for anything beyond disinfection, until I know it's clean.)

Did any of the programs that we've run find and eliminate the Hupigon virus? Remember that I'd gotten that warning, and my Yahoo email account had been hacked.

Thanks!
John

katana
2009-07-28, 00:47
1) Did any of the programs that we've run find and eliminate the Hupigon virus? Remember that I'd gotten that warning, and my Yahoo email account had been hacked.
There is no sign of it now, it's possible that it was in the registry. Since you have changed HDD's the registry will be new and the infection won't be present.
If you're AV was warning you about it, then it is likely that the actual file was removed.


----------------------------------------------------------------------------------------
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


OTCleanup
Please download OTCleanup from HERE (http://oldtimer.geekstogo.com/OTC.exe)
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt


You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'