Cleaning up after (?) Virtumonde

**pguest** · 2008-02-24, 03:52

Here's the Panda Scan:

ANALYSIS: 2008-02-23 18:32:16
PROTECTIONS: 2
MALWARE: 28
SUSPECTS: 0

PROTECTIONS
Description Version Active Updated
;
Spy Sweeper with AntiVirus 5.3.2.2361 No Yes
McAfee VirusScan Yes Yes
;
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;
00020302 adware/ncase Adware No 0 Yes No c:\windows\didduid.ini
00029459 spyware/betterinet Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}
00040415 adware/wintools Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E955-11D0-A707-000000521958}
00096188 spyware/searchcentrix Spyware No 1 Yes No hkey_current_user\software\dynamic toolbar
00134558 spyware/petro-line Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22A88341-AFCB-45F0-A856-C2BAE74F878E}
00135099 adware/powerstrip Adware No 0 Yes No c:\windows\preprocess.data
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tribalfusion.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.xiti.com/]
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tickle.com/]
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tickle.com/]
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.tickle.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.questionmarket.com/]
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Cookies\philip_guest@cs.sexcounter[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.bravenet.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.target.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Philip Guest\Application Data\Mozilla\Firefox\Profiles\d9wag9m7.default\cookies.txt[.atwola.com/]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe

**__RiP_ChAiN_** · 2008-02-24, 05:15

Hello pguest

A. Please RUN HijackThis

Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

O2 - BHO: (no name) - {0DFB3893-5A74-D388-2199-37B8D3993214} - (no file)
O2 - BHO: (no name) - {71738DA5-A1E8-4902-9D87-FF23EACEA1E1} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\didduid.ini
c:\windows\preprocess.data
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E955-11D0-A707-000000521958}]
[-hkey_current_user\software\dynamic toolbar]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22A88341-AFCB-45F0-A856-C2BAE74F878E}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

**pguest** · 2008-02-25, 06:41

Here's the latest:

ComboFix 08-02-21 - Philip Guest 2008-02-24 21:29:34.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -8:00]
Running from: C:\Documents and Settings\Philip Guest\Desktop\System Tools\Security\ComboFix.exe
Command switches used :: C:\Documents and Settings\Philip Guest\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\didduid.ini
c:\windows\preprocess.data
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\didduid.ini
c:\windows\preprocess.data

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-23 17:53 . 2008-02-23 17:55 <DIR> d-------- C:\Program Files\Panda Security
2008-02-09 13:30 . 2008-02-09 13:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-09 11:35 . 2008-02-09 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 20:44 . 2008-02-08 20:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-08 20:44 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-08 16:16 . 2008-02-08 16:13 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 16:16 . 2008-02-08 16:16 3,450 --a------ C:\WINDOWS\unins000.dat
2008-02-08 13:31 . 2008-02-08 13:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-08 13:31 . 2007-09-22 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-08 12:55 . 2008-02-08 12:55 35,575,089 --a------ C:\sdat5226.exe
2008-02-08 12:34 . 2008-02-08 13:35 <DIR> d-------- C:\SDAT
2008-02-08 11:53 . 2008-02-08 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-02-08 11:52 . 2008-02-08 11:52 61,480 --a------ C:\Documents and Settings\Jon Dalton\GoToAssistDownloadHelper.exe
2008-02-08 11:11 . 2008-02-08 11:11 <DIR> d-------- C:\Documents and Settings\Jon Dalton\Application Data\McAfee
2008-02-02 17:26 . 2008-02-03 08:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-02 13:24 . 2008-02-02 13:24 <DIR> d-------- C:\Documents and Settings\Philip Guest\Application Data\McAfee
2008-01-30 21:39 . 2008-01-30 21:41 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 16:30 --------- d-----w C:\Program Files\McAfee
2008-02-12 04:41 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-02-09 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-09 00:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-03 01:20 --------- d-----w C:\Program Files\iTunes
2008-02-03 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-02 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-02 21:01 --------- d-----w C:\Program Files\Kodak
2008-01-14 16:08 --------- d-----w C:\Program Files\Netflix
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-12-29 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-12-29 04:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-29 04:18 --------- d-----w C:\Program Files\Dell Support Center
2007-12-29 04:18 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-12-28 06:54 --------- d-----w C:\Documents and Settings\Philip Guest\Application Data\UseNeXT
2007-12-26 03:37 --------- d-----w C:\Program Files\UseNeXT
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
2004-10-18 03:59 98,544 -c--a-w C:\Documents and Settings\Philip Guest\Application Data\GDIPFONTCACHEV1.DAT
2003-11-14 03:18 1,068,194 ----a-w C:\Program Files\cybermen_screensaver.zip
2003-11-12 04:10 16,251,072 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe
2003-11-09 17:29 488,032 -c--a-w C:\Program Files\PopUpStopperFree.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"BBC News alerts"="C:\Program Files\BBC News alerts\skinkers.exe" [2005-04-04 05:35 475136]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16 454784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44 126976]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-03-16 10:56 90112]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4 Suite Deluxe\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-04-28 17:59 102400]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe" [2005-06-23 09:03 221184]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 17:27 81920]
"BtcMaestro"="C:\Program Files\KMaestro\KMaestro.exe" [2005-12-04 08:32 237568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-20 19:25 180269]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-10-30 21:33:07 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2006-02-14 19:26:07 110592]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-10-29 18:24:03 118784]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-02-06 19:30:45 233472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

R1 AluriaFilter;AluriaFilter;C:\WINDOWS\system32\DRIVERS\AlurFltr.sys [2005-05-17 08:23]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\AL_ADSFilter.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 09:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-07-03 15:19:43 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-25 01:08:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 21:34:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 21:36:06
ComboFix-quarantined-files.txt 2008-02-25 05:35:43
ComboFix2.txt 2008-02-21 15:59:40
.
2008-02-20 07:51:42 --- E O F ---

**pguest** · 2008-02-25, 06:43

And here's the hijacklog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:34 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\BBC News alerts\skinkers.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\pguest.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4 Suite Deluxe\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] "C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BBC News alerts] "C:\Program Files\BBC News alerts\skinkers.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: PictureProject In Touch.lnk = C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{35115998-7424-454A-AA1D-C0CACD99BB99}: NameServer = 66.51.206.100 66.51.205.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{35115998-7424-454A-AA1D-C0CACD99BB99}: NameServer = 66.51.206.100 66.51.205.100
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 10243 bytes

Thanks again for your attention
(The internet didn't crash this time, so it was the stormy weather!)

**__RiP_ChAiN_** · 2008-02-25, 20:56

Hello pguest

Your logs are looking much better now, how is your computer currently running?

**pguest** · 2008-02-26, 04:52

McAfee and Spybot have been congratulating me for a while and the system seems to be running fine.

Should I be worried about the notepad .exe space? I do use notepad quite a lot. Are there other programs that could be compromised or is this not an issue if the source of contamination has been wiped?

Thank you so much for your help.

Pguest

**__RiP_ChAiN_** · 2008-02-28, 04:21

Hello pguest,

Are you referring to this notepad .exe with a space?

1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.

That isnt anything you need to worry about.

Please delete the following folder:

C:\Qoobox

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Thread: Cleaning up after (?) Virtumonde

Thread Tools

Display

Posting Permissions