View Full Version : Nurech infection.....i got the rash...
JArbuckle
2009-08-26, 14:10
I believe I have been infeccted with NURECH. When I run Spybot S&D, it identifies Nurech, and it cleans it. If I run Spybot immediately again, it still finds Nurech. Thanks in advance for your continuous help!!!! :thanks:
Here is the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:36 PM, on 8/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ikowin32.exe
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: officejet 6100.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 7016 bytes
-----------------------
Previous topic: http://forums.spybot.info/showthread.php?p=303887#post303887
----------------------
I ran another Spybot check this a.m. NURECH no longer is identified.
Maybe just a quick look at the orignal HJT scan will confirm this. Just a sanity check....
Thanks, John
====================
The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)
shelf life
2009-09-03, 00:45
hi,
You use a proxy server to get on the internet? We will get another malware tool, which you can keep and use:
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:
http://www.malwarebytes.org/mbam.php
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click **Remove Selected.**
**A restart of your computer most likely will be required to remove some items.**
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt Post the log in your reply.
JArbuckle
2009-09-03, 06:20
Why do you ask "You use a proxy server to get on the internet?" What is a proxy server?
I have used MBAM in the past. I ran a scan just after I found out I was infected, this was on Aug 29. I will post that log first. I will post the most recent scan log right after.
Thanks, John
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the MBAM log posted after I scanned on AUG 29:
Malwarebytes' Anti-Malware 1.40
Database version: 2711
Windows 5.1.2600 Service Pack 3
8/29/2009 5:12:45 AM
mbam-log-2009-08-29 (05-12-45).txt
Scan type: Full Scan (C:\|)
Objects scanned: 192587
Time elapsed: 57 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\11270934 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\drivers\e4471fde.sys (Rootkit.Rustock) -> Delete on reboot.
C:\Documents and Settings\The Niemi Family\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Niemi Family\Start Menu\Programs\Startup\ikowin32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the most recent scan log, just prioir to this post, Sep 02. I will wait for your guidance before running anything else.
Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3
9/2/2009 10:05:30 PM
mbam-log-2009-09-02 (22-05-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 195088
Time elapsed: 58 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
shelf life
2009-09-04, 22:51
ok thanks for the info. a proxy server would be like a computer sitting between your computer and the internet. I say computer but it could also be software present on your computer that could function like a filter ( a local proxy) your ISP may use a proxy server for caching pages
We will leave it for now.
We will get one more download for a better look. Its called combofix. There is a guide to read first. Read the guide, download combofix to your desktop, disable your AV etc as explained in the guide, double click the icon and follow the prompts.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
JArbuckle
2009-09-05, 00:55
Here is the ComboFix Log:
ComboFix 09-09-03.02 - The Niemi Family 09/04/2009 16:43.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.2814 [GMT -5:00]
Running from: c:\documents and settings\The Niemi Family\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\10fbdd77.msp
c:\windows\Installer\10fcddc0.msp
c:\windows\Installer\11736e0c.msp
c:\windows\Installer\1195ce18.msp
c:\windows\Installer\11e57296.msp
c:\windows\Installer\11fbc2.msp
c:\windows\Installer\1269c065.msp
c:\windows\Installer\129015ef.msp
c:\windows\Installer\12e33d4a.msp
c:\windows\Installer\12ea01e4.msp
c:\windows\Installer\13042ea3.msp
c:\windows\Installer\1327251.msp
c:\windows\Installer\135a1879.msp
c:\windows\Installer\139170bf.msp
c:\windows\Installer\13e0f31e.msp
c:\windows\Installer\13e3e498.msp
c:\windows\Installer\14918d91.msp
c:\windows\Installer\1491fd81.msp
c:\windows\Installer\149336eb.msp
c:\windows\Installer\16233d99.msp
c:\windows\Installer\17901282.msp
c:\windows\Installer\17c6fdf5.msp
c:\windows\Installer\18099801.msp
c:\windows\Installer\1810577c.msp
c:\windows\Installer\188071d9.msp
c:\windows\Installer\188e29d.msp
c:\windows\Installer\189d73e.msp
c:\windows\Installer\19075027.msp
c:\windows\Installer\190a4607.msp
c:\windows\Installer\19b7f44f.msp
c:\windows\Installer\19b85fab.msp
c:\windows\Installer\19b999e1.msp
c:\windows\Installer\1b2ca17.msp
c:\windows\Installer\1b499236.msp
c:\windows\Installer\1ced58ad.msp
c:\windows\Installer\1d303550.msp
c:\windows\Installer\1d36adfe.msp
c:\windows\Installer\1da6cbe5.msp
c:\windows\Installer\1e30a207.msp
c:\windows\Installer\1edecb8a.msp
c:\windows\Installer\1edff4c7.msp
c:\windows\Installer\2006518.msp
c:\windows\Installer\2070b.msp
c:\windows\Installer\20f38.msp
c:\windows\Installer\215f898.msp
c:\windows\Installer\2213ba3b.msp
c:\windows\Installer\222c4c7.msp
c:\windows\Installer\22568d0a.msp
c:\windows\Installer\225d1690.msp
c:\windows\Installer\225ed.msp
c:\windows\Installer\22c06f5d.msp
c:\windows\Installer\22c06f63.msp
c:\windows\Installer\2353f.msp
c:\windows\Installer\2356f944.msp
c:\windows\Installer\24052334.msp
c:\windows\Installer\240659a1.msp
c:\windows\Installer\2481b.msp
c:\windows\Installer\26e40.msp
c:\windows\Installer\272ef1e.msp
c:\windows\Installer\273a1c65.msp
c:\windows\Installer\277cee79.msp
c:\windows\Installer\27839aaa.msp
c:\windows\Installer\287d5a46.msp
c:\windows\Installer\292b7764.msp
c:\windows\Installer\292cb1a9.msp
c:\windows\Installer\2c60743e.msp
c:\windows\Installer\2ca3ebab.msp
c:\windows\Installer\2ca9f41a.msp
c:\windows\Installer\2d6b51fe.msp
c:\windows\Installer\2d6b5204.msp
c:\windows\Installer\2da3ae56.msp
c:\windows\Installer\2e531c01.msp
c:\windows\Installer\2f6600b.msp
c:\windows\Installer\2fd5aeb6.msp
c:\windows\Installer\3095593e.msp
c:\windows\Installer\3186f22e.msp
c:\windows\Installer\31ca4d58.msp
c:\windows\Installer\31d04d4b.msp
c:\windows\Installer\31d1901.msp
c:\windows\Installer\3232a5.msp
c:\windows\Installer\32ca0bdd.msp
c:\windows\Installer\33796d53.msp
c:\windows\Installer\36ae48ba.msp
c:\windows\Installer\36f0a90a.msp
c:\windows\Installer\36f6b4e4.msp
c:\windows\Installer\370331d.msp
c:\windows\Installer\376f910.msp
c:\windows\Installer\37a3000.msp
c:\windows\Installer\37f06e36.msp
c:\windows\Installer\389fc173.msp
c:\windows\Installer\39134d2.msp
c:\windows\Installer\3b412545.msp
c:\windows\Installer\3bd48f6d.msp
c:\windows\Installer\3be6f1ba.msp
c:\windows\Installer\3c171277.msp
c:\windows\Installer\3c1d11be.msp
c:\windows\Installer\3ca97a.msp
c:\windows\Installer\3d16c3fc.msp
c:\windows\Installer\3dc62dfe.msp
c:\windows\Installer\3e701ba.msp
c:\windows\Installer\3ff6532.msp
c:\windows\Installer\40faf2b1.msp
c:\windows\Installer\413e1c1c.msp
c:\windows\Installer\41435e4d.msp
c:\windows\Installer\41b327.msp
c:\windows\Installer\41e73c2.msp
c:\windows\Installer\42ec8bb3.msp
c:\windows\Installer\44d98532.msi
c:\windows\Installer\46215345.msp
c:\windows\Installer\4664782c.msp
c:\windows\Installer\4669c21d.msp
c:\windows\Installer\46dee8f.msp
c:\windows\Installer\46df73a.msp
c:\windows\Installer\470d78e.msp
c:\windows\Installer\4782e8b.msp
c:\windows\Installer\4812e9c6.msp
c:\windows\Installer\4b8acfe6.msp
c:\windows\Installer\4b90891c.msp
c:\windows\Installer\4d393d3b.msp
c:\windows\Installer\50b1b922.msp
c:\windows\Installer\50b6e53b.msp
c:\windows\Installer\51e28e1.msp
c:\windows\Installer\51f048b.msp
c:\windows\Installer\51f198a.msp
c:\windows\Installer\51f59df.msp
c:\windows\Installer\520035d.msp
c:\windows\Installer\52040e3.msp
c:\windows\Installer\525f9d61.msp
c:\windows\Installer\55d99b55.msp
c:\windows\Installer\55dd3a27.msp
c:\windows\Installer\5786b60a.msp
c:\windows\Installer\5aa749fa.msp
c:\windows\Installer\5b04364f.msp
c:\windows\Installer\5cad17f6.msp
c:\windows\Installer\61d369e4.msp
c:\windows\Installer\658ba1d.msp
c:\windows\Installer\68772.msp
c:\windows\Installer\68fc57.msp
c:\windows\Installer\68fc5d.msp
c:\windows\Installer\6af2e70.msp
c:\windows\Installer\6b02812.msp
c:\windows\Installer\726b243.msp
c:\windows\Installer\749229c.msp
c:\windows\Installer\788db1.msp
c:\windows\Installer\798c246.msp
c:\windows\Installer\81cb0fe.msp
c:\windows\Installer\843685f.msp
c:\windows\Installer\8967c70.msp
c:\windows\Installer\89d4706.msp
c:\windows\Installer\8b78827.msp
c:\windows\Installer\8c8a64.msp
c:\windows\Installer\90d5fec.msp
c:\windows\Installer\925ba2d.msp
c:\windows\Installer\944beba.msp
c:\windows\Installer\9942bcc.msp
c:\windows\Installer\99437a3.msp
c:\windows\Installer\99728d0.msp
c:\windows\Installer\a0b4de.msp
c:\windows\Installer\a44bfb7.msp
c:\windows\Installer\a455a22.msp
c:\windows\Installer\a4661fd.msp
c:\windows\Installer\a4699c6.msp
c:\windows\Installer\b7f5568.msp
c:\windows\Installer\b8ff.msp
c:\windows\Installer\bd583d8.msp
c:\windows\Installer\bd683e3.msp
c:\windows\Installer\c4d0d0b.msp
c:\windows\Installer\c6f74e7.msp
c:\windows\Installer\cbf1415.msp
c:\windows\Installer\d43081c.msp
c:\windows\Installer\d69c9ed.msp
c:\windows\Installer\dbce793.msp
c:\windows\Installer\dc3a846.msp
c:\windows\Installer\e33be6d.msp
c:\windows\Installer\e6b1617.msp
c:\windows\Installer\eb3facb.msp
c:\windows\Installer\eba9605.msp
c:\windows\Installer\ebd82cc.msp
c:\windows\Installer\f408501.msp
c:\windows\Installer\f6b352b.msp
c:\windows\Installer\f6bb855.msp
c:\windows\Installer\f6caae3.msp
c:\windows\Installer\f6ced4b.msp
c:\windows\system\oeminfo.ini
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\tmp.reg
c:\windows\wpd99.drv
.
((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.
2009-09-04 07:40 . 2009-09-04 07:40 -------- d-----w- c:\windows\LastGood
2009-08-26 02:10 . 2009-08-26 02:10 -------- d-----w- c:\program files\Trend Micro
2009-08-26 01:45 . 2009-08-26 01:45 -------- d-----w- c:\program files\Safer Networking
2009-08-25 10:41 . 2009-08-14 16:14 93024 ----a-w- c:\windows\system32\IncContxMenu.dll
2009-08-25 01:48 . 2009-08-25 02:18 -------- d-----w- c:\program files\Interbank FX Trader 4 - Robominer
2009-08-21 22:02 . 2009-08-21 22:02 -------- d-----w- c:\documents and settings\The Niemi Family\Application Data\Hewlett-Packard
2009-08-21 21:47 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2009-08-21 21:45 . 2009-08-21 21:45 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-21 21:43 . 2009-08-21 21:47 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-21 21:40 . 2003-03-09 20:31 81920 ----a-r- c:\windows\system32\hpovst08.dll
2009-08-21 21:40 . 2003-03-09 20:30 237568 ----a-r- c:\windows\system32\HPZc3212.dll
2009-08-21 21:40 . 2003-03-09 20:31 561152 ----a-r- c:\windows\system32\hpotscl.dll
2009-08-21 21:40 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-21 21:40 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-20 10:12 . 2009-08-25 10:18 -------- d-----w- c:\program files\Interbank FX Trader 4 - FSP Demo
2009-08-15 12:59 . 2009-08-15 14:49 -------- d-----w- C:\Thawer MPIs
2009-08-12 19:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 03:52 . 2007-01-26 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 03:24 . 2007-01-26 20:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 10:06 . 2006-08-25 02:12 -------- d-----w- c:\program files\Interbank FX Trader 4
2009-08-30 13:01 . 2007-05-10 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-08-30 12:28 . 2007-05-10 08:09 -------- d-----w- c:\documents and settings\The Niemi Family\Application Data\iolo
2009-08-25 10:20 . 2006-09-03 17:48 -------- d-----w- c:\program files\iolo
2009-08-21 21:47 . 2009-08-21 21:41 20454 ----a-w- c:\windows\hpoins01.dat
2009-08-16 17:53 . 2008-10-10 18:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 16:14 . 2006-09-03 17:48 2102112 ----a-w- c:\windows\system32\Incinerator.dll
2009-08-08 12:38 . 2007-09-15 12:14 -------- d-----w- c:\program files\Full Tilt Poker
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:42 . 2009-08-05 03:39 34 ----a-w- c:\documents and settings\The Niemi Family\jagex_runescape_preferences.dat
2009-08-03 18:36 . 2008-10-10 18:39 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-10-10 18:39 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-20 23:58 . 2009-06-13 13:15 -------- d-----w- c:\program files\FXCM MT4 powered by BT
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:32 . 2007-02-12 12:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 17:05 . 2006-09-03 17:48 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-07-13 15:08 . 2004-08-04 06:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 04:01 . 2008-12-14 14:07 -------- d-----w- c:\program files\FXCM Trader 4 - Live
2009-07-10 04:01 . 2009-07-10 03:25 -------- d-----w- c:\program files\FXCM Trader 4
2009-07-10 02:15 . 2006-06-24 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-10 02:11 . 2009-03-20 11:09 -------- d-----w- c:\program files\TeamViewer
2009-07-10 02:07 . 2009-07-10 02:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\TeamViewer
2009-07-09 18:43 . 2006-06-24 13:22 -------- d-----w- c:\program files\McAfee
2009-07-08 18:44 . 2007-02-12 12:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2007-02-12 12:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2007-02-12 12:18 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:44 . 2007-02-12 12:18 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:43 . 2007-02-12 12:18 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-08 02:36 . 2006-09-03 17:48 11776 ----a-w- c:\windows\system32\smrgdf.exe
2009-06-29 16:12 . 2004-08-04 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 06:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 06:56 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-04 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 06:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 06:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 06:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 06:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-04-08 12:52 . 2006-08-31 04:46 88 --sha-r- c:\windows\system32\72AB8730E8.sys
2007-04-08 12:52 . 2006-08-31 04:46 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-02-25 01:53 . 2008-01-22 02:05 7395616 --sha-w- c:\windows\system32\drivers\fidbox.dat
2008-02-25 01:53 . 2008-01-22 02:05 774176 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-24 98304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk.disabled [2009-8-21 779]
officejet 6100.lnk.disabled [2009-8-21 779]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 21:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^The Niemi Family^Start Menu^Programs^Startup^IBFX - GPS.lnk]
backup=c:\windows\pss\IBFX - GPS.lnkStartup
[HKLM\~\startupfolder\c:^documents and settings^the niemi family^start menu^programs^startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\promoreg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Wireless Laser Mouse\\uninst00.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"55705:TCP"= 55705:TCP:Remote Desktop Web Connection
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [9/14/2008 7:26 AM 615280]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [9/14/2008 7:26 AM 615280]
S1 e4471fde;e4471fde;c:\windows\system32\drivers\e4471fde.sys --> c:\windows\system32\drivers\e4471fde.sys [?]
S2 0087561252050067mcinstcleanup;McAfee Application Installer Cleanup (0087561252050067);c:\windows\TEMP\008756~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\008756~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2/22/2008 6:02 PM 2385896]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-08-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8250891827.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-12 02:26]
2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-12 02:26]
2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{2EAD1599-E094-4C82-A2D2-15857C7707F4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 00:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\The Niemi Family\Application Data\Mozilla\Firefox\Profiles\gues19xl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 16:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(456)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2009-09-04 16:49
ComboFix-quarantined-files.txt 2009-09-04 21:49
Pre-Run: 45,327,966,208 bytes free
Post-Run: 45,426,044,928 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
388 --- E O F --- 2009-08-23 08:00
shelf life
2009-09-05, 04:19
ok thanks for the info. Looks like MBAM removed this item but we can run it by combofix.
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
c:\windows\system32\drivers\e4471fde.sys
Driver::
e4471fde;e4471fde
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.
Also rescan and post one more hjt log.
JArbuckle
2009-09-05, 05:52
Here is the new Combofix log:
ComboFix 09-09-03.02 - The Niemi Family 09/04/2009 21:38.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.2855 [GMT -5:00]
Running from: c:\documents and settings\The Niemi Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Niemi Family\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"c:\windows\system32\drivers\e4471fde.sys"
.
((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.
2009-09-04 07:40 . 2009-09-04 07:40 -------- d-----w- c:\windows\LastGood
2009-08-26 02:10 . 2009-08-26 02:10 -------- d-----w- c:\program files\Trend Micro
2009-08-26 01:45 . 2009-08-26 01:45 -------- d-----w- c:\program files\Safer Networking
2009-08-25 10:41 . 2009-08-14 16:14 93024 ----a-w- c:\windows\system32\IncContxMenu.dll
2009-08-25 01:48 . 2009-08-25 02:18 -------- d-----w- c:\program files\Interbank FX Trader 4 - Robominer
2009-08-21 22:02 . 2009-08-21 22:02 -------- d-----w- c:\documents and settings\The Niemi Family\Application Data\Hewlett-Packard
2009-08-21 21:47 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2009-08-21 21:45 . 2009-08-21 21:45 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-21 21:43 . 2009-08-21 21:47 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-21 21:40 . 2003-03-09 20:31 81920 ----a-r- c:\windows\system32\hpovst08.dll
2009-08-21 21:40 . 2003-03-09 20:30 237568 ----a-r- c:\windows\system32\HPZc3212.dll
2009-08-21 21:40 . 2003-03-09 20:31 561152 ----a-r- c:\windows\system32\hpotscl.dll
2009-08-21 21:40 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-21 21:40 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-20 10:12 . 2009-08-25 10:18 -------- d-----w- c:\program files\Interbank FX Trader 4 - FSP Demo
2009-08-15 12:59 . 2009-08-15 14:49 -------- d-----w- C:\Thawer MPIs
2009-08-12 19:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 03:52 . 2007-01-26 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 03:24 . 2007-01-26 20:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 10:06 . 2006-08-25 02:12 -------- d-----w- c:\program files\Interbank FX Trader 4
2009-08-30 13:01 . 2007-05-10 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-08-30 12:28 . 2007-05-10 08:09 -------- d-----w- c:\documents and settings\The Niemi Family\Application Data\iolo
2009-08-25 10:20 . 2006-09-03 17:48 -------- d-----w- c:\program files\iolo
2009-08-21 21:47 . 2009-08-21 21:41 20454 ----a-w- c:\windows\hpoins01.dat
2009-08-16 17:53 . 2008-10-10 18:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 16:14 . 2006-09-03 17:48 2102112 ----a-w- c:\windows\system32\Incinerator.dll
2009-08-08 12:38 . 2007-09-15 12:14 -------- d-----w- c:\program files\Full Tilt Poker
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:42 . 2009-08-05 03:39 34 ----a-w- c:\documents and settings\The Niemi Family\jagex_runescape_preferences.dat
2009-08-03 18:36 . 2008-10-10 18:39 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-10-10 18:39 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-20 23:58 . 2009-06-13 13:15 -------- d-----w- c:\program files\FXCM MT4 powered by BT
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:32 . 2007-02-12 12:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 17:05 . 2006-09-03 17:48 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-07-13 15:08 . 2004-08-04 06:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 04:01 . 2008-12-14 14:07 -------- d-----w- c:\program files\FXCM Trader 4 - Live
2009-07-10 04:01 . 2009-07-10 03:25 -------- d-----w- c:\program files\FXCM Trader 4
2009-07-10 02:15 . 2006-06-24 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-10 02:11 . 2009-03-20 11:09 -------- d-----w- c:\program files\TeamViewer
2009-07-10 02:07 . 2009-07-10 02:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\TeamViewer
2009-07-09 18:43 . 2006-06-24 13:22 -------- d-----w- c:\program files\McAfee
2009-07-08 18:44 . 2007-02-12 12:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2007-02-12 12:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2007-02-12 12:18 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:44 . 2007-02-12 12:18 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:43 . 2007-02-12 12:18 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-08 02:36 . 2006-09-03 17:48 11776 ----a-w- c:\windows\system32\smrgdf.exe
2009-06-29 16:12 . 2004-08-04 06:56 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 06:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 06:56 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-04 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 06:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 06:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 06:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 06:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-04-08 12:52 . 2006-08-31 04:46 88 --sha-r- c:\windows\system32\72AB8730E8.sys
2007-04-08 12:52 . 2006-08-31 04:46 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-02-25 01:53 . 2008-01-22 02:05 7395616 --sha-w- c:\windows\system32\drivers\fidbox.dat
2008-02-25 01:53 . 2008-01-22 02:05 774176 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-09-04_21.47.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-30 19:12 . 2009-09-05 02:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-06-30 19:12 . 2009-09-04 17:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-06-30 19:12 . 2009-09-05 02:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-06-30 19:12 . 2009-09-04 17:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-24 98304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk.disabled [2009-8-21 779]
officejet 6100.lnk.disabled [2009-8-21 779]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 21:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^The Niemi Family^Start Menu^Programs^Startup^IBFX - GPS.lnk]
backup=c:\windows\pss\IBFX - GPS.lnkStartup
[HKLM\~\startupfolder\c:^documents and settings^the niemi family^start menu^programs^startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Wireless Laser Mouse\\uninst00.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"55705:TCP"= 55705:TCP:Remote Desktop Web Connection
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [9/14/2008 7:26 AM 615280]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [9/14/2008 7:26 AM 615280]
S1 e4471fde;e4471fde;c:\windows\system32\drivers\e4471fde.sys --> c:\windows\system32\drivers\e4471fde.sys [?]
S2 0087561252050067mcinstcleanup;McAfee Application Installer Cleanup (0087561252050067);c:\windows\TEMP\008756~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\008756~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2/22/2008 6:02 PM 2385896]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-08-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8250891827.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-12 02:26]
2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-12 02:26]
2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{2EAD1599-E094-4C82-A2D2-15857C7707F4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 00:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\The Niemi Family\Application Data\Mozilla\Firefox\Profiles\gues19xl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 21:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(456)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
- - - - - - - > 'explorer.exe'(920)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-05 21:43
ComboFix-quarantined-files.txt 2009-09-05 02:43
ComboFix2.txt 2009-09-04 21:49
Pre-Run: 45,430,067,200 bytes free
Post-Run: 45,425,754,112 bytes free
184 --- E O F --- 2009-08-23 08:00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the new HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:12 PM, on 9/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: officejet 6100.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Application Installer Cleanup (0087561252050067) (0087561252050067mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\008756~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 7762 bytes
shelf life
2009-09-05, 22:15
hi,
Thanks for the info. You can remove combofix like this:
start>run and type in combofix /u
click ok or enter
Note the space after the x and before the /
Always check Malwarebytes for updates before doing a scan.
You can make a new restore point. The how and the why:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Last, some info for you:
10 Tips for Reducing/Preventing Your Risk To Malware:
1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits. If you frequently have malware then you should review your computer habits.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*
8) Install and understand the limitations of a software firewall.
9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. All browsers can have vulnerabilities but statistically it is the most commonly used browser that will tend to be targeted the most. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)
10) Warez, cracks, keygens etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?
Happy Safe Surfing
The longer version in link below.
JArbuckle
2009-09-06, 04:07
Thank you for helping.....
This thread can be closed....
John
:thanks: