View Full Version : Please Help - Firefox is being redirected and Safe Mode is not working
Hello all,
I've unfortunately encountered a redirect/hijack program that I can't seem to get rid of. In the past I've been able to take care of any problems with the use of Spybot and MBAM. However, when I try to boot into safe mode, it stops at the mup.sys driver and I get a BSOD with only a dash and a question mark before the computer restarts (it looks like a sideways "L" followed immediately by a question mark).
I'll try to give as much useful information as possible:
Initially a bogus antivirus program downloaded itself and changed my desktop background to an alert (green backround with a black box in the middle saying I was infected). The program also placed an icon in the taskbar (red circle with an "X") and would send constant popup warnings. I've encountered similar programs before and have had success removing them, so I didn't pay it much attention. I scanned my system and removed infections, but the problems continued. I was able to change my Desktop background image back, but I noticed that the "Folder Options" folder was missing from the Control Panel (just a empty space between the two adjacent folders) and that system restore was disabled. Also, the System Restore Tab was completely removed from System Properties. I was able to get the System Restore enabled after another scan, but all my restore points have seemingly been lost.
Now, any web searches I do are slow (as well as jerky cursor movement) and any link I click on redirects me to some random site, usually asking me to take a survey. Most of the time, the icon in the tab on my browser (Firefox 3) looks like a number 2. I ran MBAM and Spybot and they found several infections which it removed, and a subsequent search found a few more. The last time MBAM found any infections, when it tried to restart and complete the removal on reboot, is from and I got an error window saying that it had to close unexpectedly. My last few scans have revealed no infections but my web browsing is still being redirected.
Also, not sure if it's useful, but some of the icons on my desktop look a little funny, and have a black outline that looks slightly jagged, like you traced the outline in a Paint or a similar drawing application. Hmmm.
I'd also like to point out that I already have a few anti-virus and malware removal programs on my computer, but have noticed people suggesting to download and rename programs (I guess to avoid detection). If this is the case, and I should install fresh versions, please let me know.
I appreciate any help that would be available. Thanks.
Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:49:28, on 1/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\Rescue and Recovery\launcheg.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Common Files\Lenovo\InvAgent\ia.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\UnHackMe\UnHackMe.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: SAC-Desktop-Alert.lnk = C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
--
End of file - 13876 bytes
-Corey
Lenovo T61
Windows XP Pro
shelf life
2010-01-08, 00:02
hi,
Your log is a few days old, if you still need help simply reply to my post.
Yes, I would certainly appreciate any assistance. Here's where I am at: I ran through a gamut of malware removal tools and nothing helped. Research I did online led me to believe that I was a victim of Tdss infection (browser hijack, system restore and safe mode disabled). I ran Tdss killer and it found 3 infections, one of which it couldn't remove and would recreate the other two on restart.
I was getting desperate and so I ran combofix (despite warnings to only use under supervision). I just let it run as defaulted, and it found and removed an infection at atapi.sys if I remember correctly. Afterward, Tdss killer came back clean and my browsing seems fine and safe mode works again. I did have to do some Lenovo updates as I think Combofix removed some functions but everything is appearing normal.
It would be helpful to have someone to look at the logs and offer any post cleanup advice. I don't necessarily trust my computer yet and there are those who would say reformat is the best option. I'm trying to learn more about this stuff so I don't have to overwhelm forums every time I have a problem, but I would certainly appreciate some help from somebody with more experience.
Thank you,
-Corey
shelf life
2010-01-08, 02:25
I was going to suggest running combofix. You had a rootkit. A pretty new variation of the TDSS rootkit. Combofix seems to have taken care of it.
A reformat/reinstall is good advice.
Here are two older MS articles that still apply:
http://technet.microsoft.com/en-us/library/cc512587.aspx
http://technet.microsoft.com/en-us/library/cc512642.aspx
You can post the Combofix log located at C:/combofix
I've attached the Combofix log. Interesting articles you suggested. So basically, even though the original symptoms that were being caused by the Rootkit are gone, there could potentially be other vulnerabilities that it left without any indication of them being there.
I don't necessarily mind a reformat (it would be a hassle, but I think my computer would probably benefit from it ultimately) though I am unsure how to proceed. The Thinkpad I have didn't come with XP disks but has an area of the hard drive partitioned for that purpose. The options allow me to either replace the OS without affecting any of the personal documents that are on the computer, or to restore the computer to its factory state. I assume with the latter I would need to back everything up on data discs and carefully screen files as I reintroduce them onto the reformatted computer.
Sorry if this doesn't make sense, I just woke up. Any suggestions?
Thanks again for the help,
-Corey
shelf life
2010-01-08, 04:30
pasted in log:
ComboFix 10-01-04.01 - User 01/06/2010 14:52:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1554 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Application Data\SystemProc
c:\recycler\S-1-5-21-0415444029-9557523060-575793227-1842
c:\recycler\S-1-5-21-2103967480-3013173219-068918687-9932
c:\recycler\S-1-5-21-2921848518-3340446600-879474960-500
c:\recycler\S-1-5-21-4848716352-6695824852-352608772-2732
c:\recycler\S-1-5-21-5522347633-2890938995-802165362-5511
c:\recycler\S-1-5-21-5559065472-4181881334-907679494-3691
c:\recycler\S-1-5-21-6214390846-4508696248-817465003-8409
c:\recycler\S-1-5-21-6353197008-8191531982-869909309-9236
c:\recycler\S-1-5-21-6598836512-2908719922-515404246-0091
c:\windows\nvDrv.sy
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\psqlpwd.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-06 08:48 . 2010-01-06 08:48 -------- d-----w- C:\e0879e7a0d8c9bc9e6
2010-01-06 08:48 . 2010-01-06 08:48 -------- d-----w- C:\94889b3037a72032ca03ac0b99
2010-01-06 05:53 . 2010-01-06 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-06 05:09 . 2010-01-06 05:09 -------- d-----w- c:\documents and settings\User\DoctorWeb
2010-01-05 09:47 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-01-05 06:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-05 06:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-05 06:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-05 06:39 . 2010-01-05 06:39 -------- d-----w- c:\program files\Avira
2010-01-05 05:57 . 2010-01-05 05:57 -------- d-----w- c:\program files\FileASSASSIN
2010-01-05 05:40 . 2010-01-05 06:27 -------- d-----w- c:\program files\RegCleaner
2010-01-05 03:49 . 2010-01-05 03:49 -------- d-----w- c:\program files\CCleaner
2010-01-05 03:30 . 2010-01-05 03:30 -------- d-----w- c:\program files\Add Remove Pro
2010-01-05 03:11 . 2010-01-05 03:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-05 02:58 . 2010-01-05 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-05 02:55 . 2003-06-26 00:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-01-05 01:54 . 2010-01-05 01:54 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-01-05 01:54 . 2010-01-05 01:54 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-01-04 08:48 . 2010-01-04 08:48 -------- d-----w- c:\program files\Trend Micro
2010-01-03 17:55 . 2010-01-03 17:55 -------- d-----w- c:\program files\Sophos
2010-01-03 17:42 . 2010-01-03 17:42 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-03 07:11 . 2010-01-03 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-03 07:11 . 2010-01-03 07:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 04:49 . 2010-01-03 04:49 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-01-03 00:44 . 2010-01-03 00:44 -------- d-sh--w- c:\documents and settings\User\.COMMgr
2010-01-02 20:12 . 2010-01-02 20:16 -------- d-----w- c:\documents and settings\User\Application Data\FMZilla
2010-01-02 19:55 . 2010-01-02 20:16 -------- d-----w- c:\program files\Free Music Zilla
2009-12-26 23:46 . 2009-12-26 23:46 -------- d-----w- c:\documents and settings\User\Application Data\Moyea
2009-12-26 23:45 . 2009-12-26 23:45 -------- d-----w- c:\program files\Moyea
2009-12-26 21:38 . 2009-12-26 21:38 -------- d-----w- c:\program files\Common Files\Solveig Multimedia
2009-12-26 20:35 . 2009-12-26 20:35 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-26 20:34 . 2010-01-05 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-26 19:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-26 19:38 . 2009-12-26 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)
2009-12-26 19:13 . 2009-12-26 19:13 -------- d-----w- c:\program files\Solveig Multimedia
2009-12-22 19:27 . 2009-08-11 00:53 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-12-22 19:26 . 2009-12-22 19:26 -------- d-----w- C:\Intel
2009-12-22 19:20 . 2009-09-15 20:34 5977216 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-12-22 19:20 . 2009-09-15 20:19 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-12-22 19:20 . 2009-09-15 20:18 675840 ----a-w- c:\windows\system32\NETw5c32.dll
2009-12-22 19:20 . 2009-12-22 19:27 -------- d-----w- c:\program files\Intel
2009-12-22 19:20 . 2009-12-22 19:20 -------- d-----w- c:\program files\Common Files\Intel
2009-12-18 06:03 . 2009-12-18 06:03 -------- d-----w- c:\program files\RAR Password Recovery Magic
2009-12-14 18:58 . 2009-12-14 18:58 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Jaksta_LLC
2009-12-14 18:57 . 2009-12-14 18:57 -------- d-----w- c:\program files\Jaksta
2009-12-14 18:53 . 2009-12-14 18:53 -------- d-----w- c:\program files\Replay Video Capture
2009-12-14 18:53 . 2009-12-14 18:53 -------- d-----w- c:\windows\Replay Video Capture
2009-12-11 06:00 . 2010-01-02 19:51 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-12-11 06:00 . 2010-01-02 19:51 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-12-11 05:44 . 2010-01-02 19:51 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 05:52 . 2008-09-29 15:10 -------- d-----w- c:\program files\Java
2010-01-04 21:35 . 2006-04-30 06:45 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-03 09:45 . 2008-11-11 03:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 07:11 . 2008-11-11 05:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-03 05:23 . 2009-10-06 16:50 -------- d-----w- c:\program files\UnHackMe
2010-01-03 03:35 . 2008-11-16 17:29 -------- d-----w- c:\program files\Azureus
2010-01-03 03:34 . 2008-11-16 17:29 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2010-01-03 01:08 . 2008-11-12 06:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 20:10 . 2008-12-13 08:32 -------- d-----w- c:\program files\Replay Media Catcher
2009-12-30 22:55 . 2008-11-12 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54 . 2008-11-12 18:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 06:08 . 2009-08-22 23:41 -------- d-----w- c:\program files\Avidemux 2.5
2009-12-22 19:21 . 2009-12-02 18:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-12-22 19:21 . 2009-12-02 18:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-12-22 19:21 . 2008-12-22 19:15 -------- d-----w- c:\documents and settings\User\Application Data\Intel
2009-12-22 19:21 . 2008-12-22 19:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-12-22 19:20 . 2008-12-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-12-21 23:41 . 2008-12-24 10:47 -------- d-----w- c:\program files\McAfee
2009-12-18 18:39 . 2009-10-28 16:51 52480 ----a-w- c:\windows\system32\nvModes.dat
2009-12-16 03:10 . 2009-07-04 21:03 -------- d-----w- c:\program files\Replay Converter
2009-12-07 18:37 . 2009-12-07 18:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-12-04 08:14 . 2008-11-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-30 03:01 . 2008-12-24 18:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-15 00:41 . 2009-11-15 00:41 -------- d-----w- c:\program files\Bulk Rename Utility
2009-11-01 10:23 . 2008-10-04 01:03 29720 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:04 . 2006-04-30 06:56 668672 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2006-04-30 06:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-04-30 06:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 23:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-04-30 06:55 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-04-30 06:55 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-04-30 06:55 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-06 16:51 . 2009-10-06 16:51 2 --shatr- c:\windows\winstart.bat
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-17 2002160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-06 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 524288]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13549568]
"nwiz"="nwiz.exe" [2009-01-15 1630208]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-31 2618944]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-25 1036288]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-06 149280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-22 50688]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan\0
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SAC-Desktop-Alert.lnk
backup=c:\windows\pss\SAC-Desktop-Alert.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2009-03-07 01:29 458752 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-05-18 23:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 20:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 00:37 86016 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\hp_CLJ2600_Full_Solution\\SETUP.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 4:47 PM 19760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/4/2010 10:39 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/24/2008 2:48 AM 93320]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 9:10 PM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 12:11 PM 569344]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [7/7/2009 1:27 AM 40576]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [7/3/2009 8:08 PM 17408]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 11:42 AM 35264]
S0 mndttgzj;mndttgzj; [x]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [1/4/2010 5:54 PM 34760]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [7/6/2009 3:15 PM 12672]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\User\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\User\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\User\LOCALS~1\Temp\000001bd.nmc\nse\bin\nsak.sys --> c:\docume~1\User\LOCALS~1\Temp\000001bd.nmc\nse\bin\nsak.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - UnHackMeDrv
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
2010-01-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-29 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13kdrefo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-ACNotify - ACNotify.dll
Notify-psfus - c:\windows\system32\psqlpwd.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 15:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-06 15:12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 23:12
Pre-Run: 27,695,886,336 bytes free
Post-Run: 27,690,876,928 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FB693DBD997D36133A055C4A7320CD75
shelf life
2010-01-08, 04:50
there could potentially be other vulnerabilities that it left without any indication of them being there. Yes, its possible. Removal tools lag behind the malware.
See if you can locate this file;
c:\windows\winstart.bat
rename it to .txt then open it in notepad and post its content.
Did as you asked, but when I opened it with Notepad it was absolutely empty. (?)
Should I rename back to a .bat file?
shelf life
2010-01-09, 00:04
Should I rename back to a .bat file?
You can delete it. Do a online scan for good measure:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
Here is the Eset Log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=76b5112863ae3943b18431875da5e68a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-08 11:15:32
# local_time=2010-01-08 03:15:32 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 94 0 35531847 0 0
# compatibility_mode=3073 16777213 80 89 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 13 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
shelf life
2010-01-10, 04:12
Why dont you run Rootrepeal for good measure:
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
Root Repeal Log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/09 19:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA747E000 Size: 892928 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA3504000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\C
Status: Invisible to the Windows API!
Path: C:\RRbackups\common
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!
Path: C:\RRbackups\SIS
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\C\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\C\0
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\common\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\common\backups.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\bt0.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\css.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\hints.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\mnd.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\regcerts.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\restore.log
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\rr.log
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\SAM
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\secpolicy.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\settings.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\system.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\tvtcmn.dat
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\tvtns.bin
Status: Invisible to the Windows API!
Path: C:\RRbackups\common\usersids.dat
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\SIS\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\SIS\C
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\C\0\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\C\0\Data27
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data46
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data65
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data0
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data1
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data10
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data11
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data12
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data13
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data14
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data15
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data16
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data17
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data18
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data19
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data2
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data20
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data21
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data22
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data23
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data24
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data25
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data26
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data28
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data29
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data3
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data30
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data31
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data32
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data33
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data34
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data35
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data36
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data37
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data38
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data39
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data4
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data40
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data41
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data42
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data43
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data44
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data45
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data47
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data48
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data49
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data5
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data50
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data51
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data52
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data53
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data54
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data55
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data56
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data57
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data58
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data59
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data6
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data60
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data61
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data62
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data63
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data64
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data66
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data67
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data68
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data69
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data7
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data70
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data71
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data72
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data73
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data74
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data75
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data76
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data77
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data78
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data8
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Data9
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\dats
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\EFSFile
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\HashFile
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\Info
Status: Invisible to the Windows API!
Path: C:\RRbackups\C\0\TOCFile
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\SIS\C\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\SIS\C\0
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\C\0\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Lenovo
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\SIS\C\0\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\SIS\C\0\Data0
Status: Invisible to the Windows API!
Path: C:\RRbackups\SIS\C\0\HashFile
Status: Invisible to the Windows API!
Path: C:\RRbackups\SIS\C\0\TOCFile
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Lenovo\Client Security Solution\hibernation.dat
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-1937205213-696133048-3122666296-1005
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500\138282ed-6f07-4eb1-baf2-cc7e95aa0916
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500\Preferred
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500\3835b472-cd51-4fac-a7ed-add256ddc7df
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500\Preferred
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500\138282ed-6f07-4eb1-baf2-cc7e95aa0916
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3732970329-3193270347-4124631726-500\Preferred
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500\3835b472-cd51-4fac-a7ed-add256ddc7df
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4191934145-183065513-187198730-500\Preferred
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1937205213-696133048-3122666296-1005
Status: Invisible to the Windows API!
Path: \\?\C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-1937205213-696133048-3122666296-1005\*
Status: Could not enumerate files with the Windows API (0x00000005)!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-1937205213-696133048-3122666296-1005\0340d261-0d8b-48ac-bc06-49175e8dd8f8
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-1937205213-696133048-3122666296-1005\a4489717-c3d7-42bc-82fd-0ff65ab13bd6
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-1937205213-696133048-3122666296-1005\bc3ace5b-e719-4070-b585-05d0b02b070e
Status: Invisible to the Windows API!
Path: C:\RRbackups\Documents and Settings\User\Application Data\Microsoft\Protect\S-1-5-21-1937205213-696133048-31SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603bcc
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6031aa
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603832
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60434c
#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60308c
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60505c
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6052f4
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602c52
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603fb6
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604166
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602a84
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604cde
#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60342e
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603a0e
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6027b4
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6036be
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60292c
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604712
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60563a
#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604a7a
#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603db2
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604e8c
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604512
#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6033c8
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6035b2
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaaac50b0
#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602e24
Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607352
#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607a76
#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607486
#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607936
#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6075c6
#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6076fa
#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6071d2
#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606424
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606ea2
#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607834
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606c10
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606d52
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6068f4
#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60615c
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6065a6
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606752
#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606ff2
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606ab6
#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6070e8
#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6062cc
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607adc
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607d10
==EOF==
shelf life
2010-01-10, 20:16
hi,
looks ok. you can delete the rootrepeal icon from your desktop. you can use this utility to remove combofix:
Please download OTCleanIt and save it to desktop.
http://oldtimer.geekstogo.com/OTC.exe
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
You can make a new restore point. The why and the how:
One of the features of Windows XP, Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
If all is good, some tips for helping you remain malware free:
10 Tips for Reducing/Preventing Your Risk To Malware:
Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.
1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to review your computer habits.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*
8) Install and understand the *limitations* of a software firewall.
9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.
10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. Using them will cause you all kinds of problems. If you download/install files via p2p (http://www.virusvault.us/p2p.html) networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.