computer is jacked

[Jack&Jill]

Hello glass ninja ,

479.00 Mb Total Physical Memory | 58.00 Mb Available Physical Memory | 12.00% Memory free

You may want to consider upgrading your RAM. 512MB is low for today's standard and you are utilizing it almost at maximum already.

Please backup your registry with ERUNT.

--------------------

Fix with OTL

• Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
• If you need help to disable your protection programs see here and here.
• Double click on OTL.exe to run it.
• Copy and paste the following text into the white box below Custom Scans/Fixes:
  
  Code:

  :otl
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-21-1547161642-113007714-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  [2011/01/06 20:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Debby\Application Data\FrostWire
  [2009/10/10 00:09:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Debby\Application Data\LimeWire
  @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F59BA980
  
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
  "FirstRunDisabled" = -
  
  :commands
  [CREATERESTOREPOINT]
  [resethosts]
  [emptytemp]

• Click Run Fix.
• Please post the contents of the fix log file back here if you are prompted to open the file. It can also be found at C:\_OTL\Moved Files as MMDDYYY_HHMMSS.log where MMDDYYY is date format and HHMMSS is time format.
• If requested to reboot, please do so. The log file will open after restart.
• Enable back your security softwares as soon as you completed the OTL fix steps.

--------------------

Please post back:
1. the OTL fix log
2. any more problems?

[glass ninja]

Hello-

I know I need more RAM in my PC. I keep getting that "virtual memory" box that pops up every so often. I was hoping to get a laptop, but I may just end up upgrading this one.

What was it that infected my computer??

Ok. I backed up using erunt, then disabled avast. Here is the log from the OTL:



All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-1547161642-113007714-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\xml\data folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\xml folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\themes\frostwirePro_theme folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\themes folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\overlays folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\.NetworkShare\Incomplete folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\.NetworkShare folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire\.AppSpecialShare folder moved successfully.
C:\Documents and Settings\Debby\Application Data\FrostWire folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\xml\data folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\xml folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\themes\windows_theme folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\themes folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\promotion folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\certificate folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire\.AppSpecialShare folder moved successfully.
C:\Documents and Settings\Debby\Application Data\LimeWire folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F59BA980 deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Debby
->Temp folder emptied: 1347047 bytes
->Temporary Internet Files folder emptied: 49760399 bytes
->Java cache emptied: 1132559 bytes
->FireFox cache emptied: 236202932 bytes
->Flash cache emptied: 2873315 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56466 bytes

User: josephus
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 77542258 bytes
->Flash cache emptied: 1821 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2176856 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 123509 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 741137560 bytes

Total Files Cleaned = 1,061.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03262011_092526

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Jack&Jill]

Hello glass ninja ,

What was it that infected my computer??

It was a Bamital infection that patched some of Windows critical files. No worries, it has been neutralized.

--------------------

Congratulations, you are All Clear to go. Glad to hear everything is good and running . If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.

• Go to Start > Run.... Copy and paste the following text into the white box:
  ComboFix /uninstall
  Click OK.
• Run OTL by double clicking on OTL.exe. Click on CleanUp, proceed to reboot if prompted.
• Delete the SystemLook, CKScanner, Rootkit Unhooker and TDSSKiller files on your desktop.
• Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows XP to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications. If you would like to try WinPatrol, please uninstall Spybot.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with Panda USB Vaccine, an effective method to prevent malware from spreading.

8. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

9. Also look up:
Computer Security - a short guide to staying safer online
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.

[glass ninja]

Hi-

Wow. Thank you SO much for your patient help. I will be making a donation to spybot in your name/honor. Thank you.

Debby

[Jack&Jill]

You are most welcome and thanks to you as well .

[Jack&Jill]

As your problems appear to have been resolved, this topic is now closed.

We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D!