View Full Version : malware infected pc
yukukuhi
2009-11-20, 14:23
Hi there I think my pc is infected with malwares. please help. please reply.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:47 PM, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\nyviv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.speedbit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\wuaucIt.exe
O4 - HKLM\..\Run: [lare] C:\WINDOWS\system32\nyviv.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [riwa] C:\WINDOWS\system32\gourotyz.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunServices: [lare] C:\WINDOWS\system32\nyviv.exe
O4 - HKLM\..\RunServices: [riwa] C:\WINDOWS\system32\gourotyz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-18\..\Run: [lare] C:\Documents and Settings\LocalService\Application Data\Microsoft\nyviv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lare] C:\Documents and Settings\LocalService\Application Data\Microsoft\nyviv.exe (User 'Default user')
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
--
End of file - 6834 bytes
shelf life
2009-11-24, 14:09
hi yukukuhi,
I think my pc is infected with malwares I think your right. Your log is a few days old if you still need help reply to my post.
yukukuhi
2009-11-24, 16:08
Hi there shelf life,
Ok Cool. So now should i post a New Log then. Please Reply.
shelf life
2009-11-24, 22:32
ok. We will start with Malwarebytes. Direction and link:
Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
yukukuhi
2009-11-26, 06:58
Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 2
11/26/2009 11:20:27 AM
mbam-log-2009-11-26 (11-20-05).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 179386
Time elapsed: 43 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
C:\Documents and Settings\ram\Local Settings\Temporary Internet Files\Content.IE5\GMQOGA4K\ldr[1] (Malware.Packer) -> No action taken.
D:\System Volume Information\_restore{A6FEFDD3-C5AB-473A-A6C3-B5BEDF526D1E}\RP24\A0009824.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\Drivers\ndisvvan.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> No action taken.
C:\WINDOWS\inf\phil1vid.inf (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wuaucIt.exe (Trojan.Agent) -> No action taken.
shelf life
2009-11-26, 15:07
After you ran Malwarebytes you restarted your computer?
We will get one more download to use. its called combofix. There is a guide to read first. Read the guide, download combofix to your desktop, disable your antivirus and anti-malware, double click the combofix icon and follow the prompts. Post the combofix log in your reply.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
yukukuhi
2009-11-28, 10:45
ComboFix 09-11-27.04 - ram 11/28/2009 14:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.654 [GMT 5.5:30]
Running from: c:\documents and settings\ram\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ram\Application Data\inst.exe
c:\documents and settings\ram\secupdat.dat
c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\windows\system32\msvcrt2.dll
c:\windows\system32\qxzv85.exe@
c:\windows\system32\secupdat.dat
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\ram\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 03:21 . 2009-11-18 12:56 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-22 03:21 . 2009-11-18 12:56 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-22 03:20 . 2009-11-18 12:56 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-22 03:20 . 2009-11-18 12:56 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-21 07:49 . 2009-11-21 07:49 -------- d-----w- c:\program files\Veoh Networks
2009-11-20 13:58 . 2009-11-20 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-20 13:15 . 2009-11-20 13:15 -------- d-----w- c:\program files\Trend Micro
2009-11-18 12:56 . 2009-11-18 13:31 -------- d-----w- C:\$AVG
2009-11-18 12:56 . 2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 12:56 . 2009-11-18 12:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 12:56 . 2009-11-18 12:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-18 12:56 . 2009-11-28 05:24 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-18 12:52 . 2009-11-18 12:52 40128 ----a-w- c:\windows\system32\drivers\eugjbkhf.sys
2009-11-18 05:46 . 2009-11-18 05:46 79616 ----a-w- c:\windows\system32\drivers\zthcxtmv.sys
2009-11-15 14:26 . 2009-11-15 14:27 -------- d-----w- c:\program files\Exact Audio Copy
2009-11-15 14:14 . 2009-11-15 14:42 -------- d-----w- c:\program files\SlySoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 09:48 . 2009-09-29 04:39 -------- d-----w- c:\documents and settings\ram\Application Data\vlc
2009-11-23 07:08 . 2009-06-27 11:11 72024 -c--a-w- c:\documents and settings\ram\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 07:08 . 2009-06-23 06:25 -------- d-----w- c:\documents and settings\ram\Application Data\VideoReDo-TVSuite
2009-11-23 07:06 . 2009-06-23 06:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-22 15:25 . 2009-10-10 05:43 -------- d-----w- c:\documents and settings\ram\Application Data\Skype
2009-11-22 11:27 . 2009-10-10 05:57 -------- d-----w- c:\documents and settings\ram\Application Data\skypePM
2009-11-20 14:07 . 2009-06-27 10:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-18 12:56 . 2009-06-27 11:05 -------- d-----w- c:\program files\AVG
2009-10-28 02:32 . 2009-08-04 13:58 -------- d-----w- c:\documents and settings\ram\Application Data\U3
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\program files\DVDFab 5
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\documents and settings\ram\Application Data\Vso
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-10-23 09:47 -------- d-----w- c:\program files\CDisplay
2009-10-26 03:04 . 2009-06-23 03:06 -------- d-----w- c:\program files\AVerTV
2009-10-25 16:31 . 2009-10-25 16:26 -------- d-----w- c:\program files\Alcohol Soft
2009-10-25 16:22 . 2009-10-25 16:22 639224 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-13 04:35 . 2009-10-13 04:35 -------- d-----w- c:\documents and settings\ram\Application Data\Apple Computer
2009-10-10 05:57 . 2009-10-10 05:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----r- c:\program files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-08 12:32 . 2009-10-08 12:29 703488 ----a-w- c:\windows\system32\cftu.exe
2009-10-04 11:51 . 2009-10-04 11:51 -------- d-----w- c:\documents and settings\ram\Application Data\dvdcss
2009-10-04 10:52 . 2009-10-04 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-10-04 08:16 . 2009-10-04 08:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\program files\Transparent
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2009-10-04 07:48 . 2009-10-04 07:47 -------- d-----w- c:\program files\QuickTime
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Common Files\Apple
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Apple Software Update
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 07:18 . 2009-09-12 07:17 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-08 13:27 . 2009-09-08 13:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-06 14:11 . 2009-09-06 14:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-23 06:29 . 2009-06-23 06:29 58652 ----a-w- c:\program files\AMVapp-uninst.exe
2009-06-23 06:28 . 2009-06-23 06:28 67895 ----a-w- c:\program files\Premiere AVS Plugin uninst.exe
2004-05-08 06:41 . 2004-05-08 06:41 53361 ----a-w- c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 . 2004-05-06 21:57 57344 -c--a-w- c:\program files\IM-Avisynth.prm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickTV.lnk - c:\program files\AVerTV\QuickTV.exe [2005-10-30 393216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eugjbkhf.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 eugjbkhf;eugjbkhf;c:\windows\system32\drivers\eugjbkhf.sys [11/18/2009 6:22 PM 40128]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/30/2009 10:35 AM 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2009 9:52 PM 639224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 6:26 PM 333192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/18/2009 6:26 PM 285392]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [6/23/2009 8:35 AM 57152]
S2 f3u3aoalmts7oi;Zip Backup to CD;c:\windows\system32\rahoud.exe --> c:\windows\system32\rahoud.exe [?]
S2 kdhkkjaegfolum;kdhkkjaegfolum;c:\windows\system32\drivers\zthcxtmv.sys [11/18/2009 11:16 AM 79616]
S2 lqaypseitoiznxuu;Websense CPM Report Scheduler;c:\windows\system32\kutyd.exe --> c:\windows\system32\kutyd.exe [?]
S3 caehwtzy;caehwtzy;\??\c:\windows\System32\Drivers\caehwtzy.sys --> c:\windows\System32\Drivers\caehwtzy.sys [?]
S3 lmfcnrnh;lmfcnrnh;\??\c:\windows\System32\Drivers\lmfcnrnh.sys --> c:\windows\System32\Drivers\lmfcnrnh.sys [?]
S3 mfcvermf;mfcvermf;\??\c:\windows\System32\Drivers\mfcvermf.sys --> c:\windows\System32\Drivers\mfcvermf.sys [?]
S3 vnrildvq;vnrildvq;\??\c:\windows\System32\Drivers\vnrildvq.sys --> c:\windows\System32\Drivers\vnrildvq.sys [?]
S3 xbziilsx;xbziilsx;\??\c:\windows\System32\Drivers\xbziilsx.sys --> c:\windows\System32\Drivers\xbziilsx.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{45408DC9-5BB3-465E-8843-F87C6FC3D999}.job
- c:\windows\system32\msfeedssync.exe [2009-01-14 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = search.speedbit.com
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\ram\Application Data\Mozilla\Firefox\Profiles\wpwmbnk9.default\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
AddRemove-Byki Express - c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}\BYKI4Installer.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 14:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D11D8]<<
kernel: error reading MBR
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{59985D0F-EEB6-70CB-E15F-4BE44F1B96F3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729DC006-8213-1BFB-6F7E-776798F5AC4C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haibkidaenonpphf"=hex:6f,61,68,61,66,61,64,66,6e,6c,63,65,68,6e,66,67,67,6e,
63,61,61,65,70,63,6f,6f,6b,69,6b,6a,00,77
"jajbfibakphkgmjenaed"=hex:64,62,6a,62,6d,6b,6a,70,61,62,6d,61,6d,67,6a,64,67,
6b,64,6d,69,6e,69,65,62,66,64,6a,62,61,6a,65,6b,63,6e,6a,66,6d,6c,61,00,e3
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-28 14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-28 08:45
Pre-Run: 10,489,323,520 bytes free
Post-Run: 10,468,663,296 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 2CA0F1BD189B447DFA7E6A08B85B52F2
shelf life
2009-11-28, 15:13
You have some nasty processes running. Looks like root kit activity. You should use the machine as little as possible and no financial or personal transactions. Power it off or at least ensure there is no connectivity when not in use. I would consider reformatting and reinstalling Windows. Root kits can be difficult to remove. Up to you how you want to continue. Some general info about rootkits:
http://technet.microsoft.com/en-us/library/cc512642.aspx
This link dosnt even mention the word root kit, but it still applies:
http://technet.microsoft.com/en-us/library/cc512587.aspx
yukukuhi
2009-11-29, 12:09
Well then, ok. iam ready to continue please help.
shelf life
2009-11-29, 14:56
We will continue with Combofix. Before using it disable your antivirus and any anitmalware that might be running.
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
Driver::
eugjbkhf
f3u3aoalmts7oi
kdhkkjaegfolum
lqaypseitoiznxuu
caehwtzy
lmfcnrnh
mfcvermf
vnrildvq
xbziilsx
File::
c:\windows\system32\drivers\eugjbkhf.sys
c:\windows\system32\rahoud.exe
c:\windows\system32\drivers\zthcxtmv.sys
c:\windows\system32\kutyd.exe
c:\windows\System32\Drivers\caehwtzy.sys
c:\windows\System32\Drivers\lmfcnrnh.sys
c:\windows\System32\Drivers\mfcvermf.sys
c:\windows\System32\Drivers\vnrildvq.sys
c:\windows\System32\Drivers\xbziilsx.sys
c:\windows\system32\cftu.exe
c:\windows\system32\ezsidmv.dat
Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.
After combofix is finished make sure your AV and any antimalware is running.
Check Malwarebytes for updates and do a scan with it also and post the log:
click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click **Remove Selected.**
**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
yukukuhi
2009-11-30, 16:09
ComboFix 09-11-29.06 - ram 11/30/2009 18:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.565 [GMT 5.5:30]
Running from: c:\documents and settings\ram\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ram\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\system32\cftu.exe"
"c:\windows\System32\Drivers\caehwtzy.sys"
"c:\windows\system32\drivers\eugjbkhf.sys"
"c:\windows\System32\Drivers\lmfcnrnh.sys"
"c:\windows\System32\Drivers\mfcvermf.sys"
"c:\windows\System32\Drivers\vnrildvq.sys"
"c:\windows\System32\Drivers\xbziilsx.sys"
"c:\windows\system32\drivers\zthcxtmv.sys"
"c:\windows\system32\ezsidmv.dat"
"c:\windows\system32\kutyd.exe"
"c:\windows\system32\rahoud.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\cftu.exe
c:\windows\system32\drivers\eugjbkhf.sys
c:\windows\system32\drivers\zthcxtmv.sys
c:\windows\system32\ezsidmv.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_EUGJBKHF
-------\Legacy_F3U3AOALMTS7OI
-------\Legacy_LQAYPSEITOIZNXUU
-------\Service_caehwtzy
-------\Service_eugjbkhf
-------\Service_f3u3aoalmts7oi
-------\Service_kdhkkjaegfolum
-------\Service_lmfcnrnh
-------\Service_lqaypseitoiznxuu
-------\Service_mfcvermf
-------\Service_vnrildvq
-------\Service_xbziilsx
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\ram\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 03:21 . 2009-11-18 12:56 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-22 03:21 . 2009-11-18 12:56 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-22 03:20 . 2009-11-18 12:56 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-22 03:20 . 2009-11-18 12:56 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-21 07:49 . 2009-11-21 07:49 -------- d-----w- c:\program files\Veoh Networks
2009-11-20 13:58 . 2009-11-20 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-20 13:15 . 2009-11-20 13:15 -------- d-----w- c:\program files\Trend Micro
2009-11-18 12:56 . 2009-11-18 13:31 -------- d-----w- C:\$AVG
2009-11-18 12:56 . 2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 12:56 . 2009-11-18 12:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 12:56 . 2009-11-18 12:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-18 12:56 . 2009-11-30 12:38 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-15 14:26 . 2009-11-15 14:27 -------- d-----w- c:\program files\Exact Audio Copy
2009-11-15 14:14 . 2009-11-15 14:42 -------- d-----w- c:\program files\SlySoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 15:05 . 2009-10-10 05:43 -------- d-----w- c:\documents and settings\ram\Application Data\Skype
2009-11-29 13:27 . 2009-10-10 05:57 -------- d-----w- c:\documents and settings\ram\Application Data\skypePM
2009-11-28 08:49 . 2009-09-29 04:39 -------- d-----w- c:\documents and settings\ram\Application Data\vlc
2009-11-23 07:08 . 2009-06-27 11:11 72024 -c--a-w- c:\documents and settings\ram\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 07:08 . 2009-06-23 06:25 -------- d-----w- c:\documents and settings\ram\Application Data\VideoReDo-TVSuite
2009-11-23 07:06 . 2009-06-23 06:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-20 14:07 . 2009-06-27 10:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-18 12:56 . 2009-06-27 11:05 -------- d-----w- c:\program files\AVG
2009-10-28 02:32 . 2009-08-04 13:58 -------- d-----w- c:\documents and settings\ram\Application Data\U3
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\program files\DVDFab 5
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\documents and settings\ram\Application Data\Vso
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-10-23 09:47 -------- d-----w- c:\program files\CDisplay
2009-10-26 03:04 . 2009-06-23 03:06 -------- d-----w- c:\program files\AVerTV
2009-10-25 16:31 . 2009-10-25 16:26 -------- d-----w- c:\program files\Alcohol Soft
2009-10-25 16:22 . 2009-10-25 16:22 639224 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-13 04:35 . 2009-10-13 04:35 -------- d-----w- c:\documents and settings\ram\Application Data\Apple Computer
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----r- c:\program files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-04 11:51 . 2009-10-04 11:51 -------- d-----w- c:\documents and settings\ram\Application Data\dvdcss
2009-10-04 10:52 . 2009-10-04 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-10-04 08:16 . 2009-10-04 08:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\program files\Transparent
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2009-10-04 07:48 . 2009-10-04 07:47 -------- d-----w- c:\program files\QuickTime
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Common Files\Apple
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Apple Software Update
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 07:18 . 2009-09-12 07:17 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-08 13:27 . 2009-09-08 13:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-06 14:11 . 2009-09-06 14:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-23 06:29 . 2009-06-23 06:29 58652 ----a-w- c:\program files\AMVapp-uninst.exe
2009-06-23 06:28 . 2009-06-23 06:28 67895 ----a-w- c:\program files\Premiere AVS Plugin uninst.exe
2004-05-08 06:41 . 2004-05-08 06:41 53361 ----a-w- c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 . 2004-05-06 21:57 57344 -c--a-w- c:\program files\IM-Avisynth.prm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickTV.lnk - c:\program files\AVerTV\QuickTV.exe [2005-10-30 393216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/30/2009 10:35 AM 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2009 9:52 PM 639224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 6:26 PM 333192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/18/2009 6:26 PM 285392]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [6/23/2009 8:35 AM 57152]
.
Contents of the 'Scheduled Tasks' folder
2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{45408DC9-5BB3-465E-8843-F87C6FC3D999}.job
- c:\windows\system32\msfeedssync.exe [2009-01-14 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = search.speedbit.com
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\ram\Application Data\Mozilla\Firefox\Profiles\wpwmbnk9.default\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
SafeBoot-eugjbkhf.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 18:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D01D8]<<
kernel: error reading MBR
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{59985D0F-EEB6-70CB-E15F-4BE44F1B96F3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729DC006-8213-1BFB-6F7E-776798F5AC4C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haibkidaenonpphf"=hex:6f,61,68,61,66,61,64,66,6e,6c,63,65,68,6e,66,67,67,6e,
63,61,61,65,70,63,6f,6f,6b,69,6b,6a,00,77
"jajbfibakphkgmjenaed"=hex:64,62,6a,62,6d,6b,6a,70,61,62,6d,61,6d,67,6a,64,67,
6b,64,6d,69,6e,69,65,62,66,64,6a,62,61,6a,65,6b,63,6e,6a,66,6d,6c,61,00,e3
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-30 18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 13:29
ComboFix2.txt 2009-11-28 08:45
Pre-Run: 10,425,323,520 bytes free
Post-Run: 10,318,565,376 bytes free
- - End Of File - - 8A2F98C6E78223A2B91C479A7ECBBFAE
yukukuhi
2009-11-30, 16:11
Malwarebytes' Anti-Malware 1.41
Database version: 3260
Windows 5.1.2600 Service Pack 2
11/30/2009 8:34:28 PM
mbam-log-2009-11-30 (20-34-28).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 179768
Time elapsed: 29 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
shelf life
2009-11-30, 23:27
hi,
ok good. One more download to get as another check. Link and directions:
Please download: RootRepeal
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
yukukuhi
2009-12-01, 09:35
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 13:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: 00000116
Image Path: \Driver\00000116
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA3C5000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B3A000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9723000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: D:\SLOKAM\M.S.Subbulakshmi\videodownload:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf73e50b0
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf73ea84c
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf73eabec
#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf73e5090
#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf73eacc4
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf73eab44
#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf73ead56
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8655e1d8 Size: 151
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x85c3a1d8 Size: 131
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8655f1d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x863721d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x865d31d8 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86441980 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x865601d8 Size: 463
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85c88308 Size: 463
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85c88308 Size: 463
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c88308 Size: 463
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c88308 Size: 463
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85c88308 Size: 463
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85c88308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x863ca308 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85c831d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_CREATE]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_CLOSE]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_READ]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_CLEANUP]
Process: System Address: 0x85c6f1d8 Size: 463
Object: Hidden Code [Driver: Cdfsఊ祓譐��Ȩ�, IRP_MJ_PNP]
Process: System Address: 0x85c6f1d8 Size: 463
==EOF==
shelf life
2009-12-02, 00:42
Post another hjt log for me and download and run DDS also. Link and directions for DDS:
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection. Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your reply.
yukukuhi
2009-12-02, 07:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:47 AM, on 12/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.speedbit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
--
End of file - 5518 bytes
DDS (Ver_09-12-01.01) - NTFSx86
Run by ram at 11:56:28.90 on Wed 12/02/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.632 [GMT 5.5:30]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVerTV\QuickTV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\ram\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = search.speedbit.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SBCONVERT Class: {a1056498-d09a-41e4-864b-505edd640d9e} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicktv.lnk - c:\program files\avertv\QuickTV.exe
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ram\applic~1\mozilla\firefox\profiles\wpwmbnk9.default\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-8-30 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-18 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-18 28424]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-18 285392]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2009-6-23 57152]
=============== Created Last 30 ================
2009-11-28 08:37:55 0 d-sha-r- C:\cmdcons
2009-11-28 08:34:19 98816 ----a-w- c:\windows\sed.exe
2009-11-28 08:34:19 77312 ----a-w- c:\windows\MBR.exe
2009-11-28 08:34:19 260608 ----a-w- c:\windows\PEV.exe
2009-11-28 08:34:19 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 04:29:41 0 d-----w- c:\docume~1\ram\applic~1\Malwarebytes
2009-11-26 04:29:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 04:29:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 04:29:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 04:29:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-21 07:49:49 0 d-----w- c:\program files\Veoh Networks
2009-11-20 13:15:58 0 d-----w- c:\program files\Trend Micro
2009-11-18 12:56:33 0 d-----w- C:\$AVG
2009-11-18 12:56:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 12:56:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 12:56:05 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-18 12:55:59 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-18 12:55:39 0 d-----w- c:\windows\SxsCaPendDel
2009-11-15 14:26:55 0 d-----w- c:\program files\Exact Audio Copy
2009-11-15 14:14:11 0 d-----w- c:\program files\SlySoft
==================== Find3M ====================
2009-10-27 06:38:48 47360 ----a-w- c:\docume~1\ram\applic~1\pcouffin.sys
2009-10-25 16:22:07 639224 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-08 13:27:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-23 06:29:36 58652 ----a-w- c:\program files\AMVapp-uninst.exe
2009-06-23 06:28:54 67895 ----a-w- c:\program files\Premiere AVS Plugin uninst.exe
2004-05-08 06:41:32 53361 ----a-w- c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57:06 57344 -c--a-w- c:\program files\IM-Avisynth.prm
============= FINISH: 11:56:38.10 ===============
shelf life
2009-12-03, 00:01
ok. thanks for all the info. you can delete the rootrepeal icon from your desktop. Another download will remove combofix for you:
Please download OTCleanIt and save it to your desktop.
http://oldtimer.geekstogo.com/OTC.exe
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Always check malwarebytes for updates before a scan.
If all is good, some info for you:
10 Tips for Reducing/Preventing Your Risk To Malware:
1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you keep getting malware then you should review your computer habits.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Even if you get a E-Mail from someone you know, its possible that there computer or account information has been compromised.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*
8) Install and understand the *limitations* of a software firewall.
9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0 Read the FAQ's.
10) Warez, cracks etc are very popular for carrying malware payloads. Using them will cause all kinds of problems. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.