I broke it so bad even hijack this won't work

Status
Not open for further replies.
I

Ivorytower

New member
I have lurked on and off for a while but I have finally joined up to plead for help. I think I really broke my OS this time. Hijackthis will not run. Most malware removal tools seem to fail and the browsers are well and truly hijacked.

I have isolated the system (pulled the network cable) and managed to run DDS to get some kind of log, any kind. I would have preferred hijack this logs but I simply couldn't get it to run.

______________________________________
DDS (Ver_09-05-14.01) - NTFSx86
Run by Master at 19:10:23.82 on Sun 07/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3582.3022 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Internet\Comodo Firewall Pro\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Utilities\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Utilities\nHancer\nHancerService.exe
C:\Program Files\Audio\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DVDRW\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Utilities\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Utilities\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Internet\Comodo Firewall Pro\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Utilities\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Utilities\BlueSoleil\BlueSoleil.exe
C:\Program Files\Utilities\Nostromo\nost_LM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Master\Desktop\Recovery\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.abc.net.au/iview/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\audio\ntune\nTuneCmd.exe" clear
uRun: [DAEMON Tools] "c:\program files\utilities\daemon tools\daemon.exe" -lang 1033
uRun: [SpybotSD TeaTimer] c:\program files\internet\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpriteService] "c:\program files\sprite software\sprite backup\SpriteService.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [EasyTuneV] c:\program files\gigabyte\et5\ETcall.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RemoteControl] "c:\program files\dvdrw\powerdvd\PDVDServ.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [WireLessMouse ] c:\program files\utilities\multimedia combo set\MouseDrv.exe
mRun: [WireLessKeyboard ] c:\program files\utilities\multimedia combo set\PS2USBKbdDrv.exe
mRun: [Dit] Dit.exe
mRun: [COMODO Firewall Pro] "c:\program files\internet\comodo firewall pro\cfp.exe" -h
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [COMODO Internet Security] "c:\program files\internet\comodo firewall pro\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\internet\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\utilities\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\utilities\nostromo\nost_LM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download All by FlashGet - c:\program files\internet\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\internet\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open Link Target in Firefox - file://c:\documents and settings\master\application data\mozilla\firefox\profiles\tmc51llt.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\master\application data\mozilla\firefox\profiles\tmc51llt.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\internet\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\utilities\winhttrack\WinHTTrackIEBar.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.101,85.255.112.113
TCP: {05B5AC85-3927-49BF-A58E-319AC8B81DD4} = 85.255.112.101,85.255.112.113
TCP: {0A0DC48B-8EC8-4F20-B57B-C3C92166D0B3} = 85.255.112.101,85.255.112.113
TCP: {3FFFA5CC-5CDF-48EF-BD6F-6F66BF1AD04A} = 85.255.112.101,85.255.112.113
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\internet\coreftp\pftpns.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\master\applic~1\mozilla\firefox\profiles\94si2l9p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://partnerpage.google.com/highvale.net
FF - component: c:\documents and settings\master\application data\mozilla\firefox\profiles\94si2l9p.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\video\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\video\divx\divx web player\npdivx32.dll
FF - plugin: c:\program files\video\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\internet\avira\antivir desktop\avgio.sys [2009-5-1 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2008-2-16 132640]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-2-16 24096]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\internet\avira\antivir desktop\sched.exe [2009-5-1 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\internet\avira\antivir desktop\avguard.exe [2009-5-1 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-1 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\internet\comodo firewall pro\cmdagent.exe [2008-2-16 692496]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-5-31 14976]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-24 22821]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2007-9-14 13440]

=============== Created Last 30 ================

2009-06-07 18:52 4,042 a------- c:\windows\system32\tmp.reg
2009-06-07 18:35 <DIR> --d----- c:\program files\Trend Micro
2009-06-07 17:36 3,018,864 a------- c:\temp\ComboFix.exe
2009-06-07 17:18 <DIR> --d----- c:\temp\Programs
2009-06-07 17:02 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-07 12:49 1,483,128 a------- c:\temp\SetupOneCare.exe
2009-06-07 12:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-07 10:34 <DIR> --d----- c:\temp\t205249-how-to-delete-trojans-and-worms-from-registry_files
2009-06-07 10:32 <DIR> --d----- c:\temp\quickfix_files
2009-06-07 10:31 <DIR> --d----- c:\temp\Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro UK_files
2009-06-07 10:31 <DIR> --d----- c:\temp\McAfee Threat Center_files
2009-06-07 10:30 <DIR> --d----- c:\temp\DisableSysRestore_files
2009-06-07 08:40 <DIR> --d----- c:\temp\File Assassin
2009-06-07 08:12 3,371,384 a------- c:\temp\mbam-setup.exe
2009-05-16 22:07 <DIR> --d----- c:\program files\NeoSmart Technologies
2009-05-14 01:18 <DIR> --dsh--- c:\documents and settings\master\IECompatCache
2009-05-12 16:33 <DIR> --dsh--- c:\documents and settings\master\PrivacIE
2009-05-12 16:05 <DIR> --dsh--- c:\documents and settings\master\IETldCache
2009-05-12 16:03 <DIR> --d----- c:\windows\ie8updates
2009-05-12 16:03 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-12 16:01 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-07 19:09 13,440 a------- c:\windows\system32\drivers\USBCRFT.SYS
2009-05-16 11:43 132,640 a------- c:\windows\system32\drivers\cmdGuard.sys
2009-05-15 19:07 168,208 a------- c:\windows\system32\guard32.dll
2009-05-15 19:07 24,096 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-05-04 14:07 16,608 a------- c:\windows\gdrv.sys
2009-04-03 19:25 31,029 a------- c:\windows\DIIUnin.dat
2009-04-03 19:15 94,208 a------- c:\windows\DIIUnin.exe
2009-04-03 19:15 2,829 a------- c:\windows\DIIUnin.pif
2008-05-15 19:49 17,488 a------- c:\docume~1\master\applic~1\GDIPFONTCACHEV1.DAT
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-12-27 16:29 22,328 a------- c:\docume~1\master\applic~1\PnkBstrK.sys
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 125,504 a------- c:\program files\MarkFunDrv.dll
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-04-05 04:31 248,640 a------- c:\program files\update.exe
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2006-11-23 23:40 60,224 a------- c:\program files\HUADRV.DLL
2006-11-03 18:09 528 a------- c:\program files\CONFIG.INI
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd

============= FINISH: 19:10:46.50 ===============



I have the attach.txt log file if it helps.

I hope someone can assist. This one is really beyond my ability. I think I have followed the "before you post" to the best of my ability. Please forgive me if I have erred.

Thanks in advance
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions.

I'll do my best to help, let's start like this: c:\temp\ComboFix.exe

You have run a very powerful tool that even the creator states should be run only with supervision and you have run it from an incorrect location. Start by deleting any instance of combofix on the computer, then reboot to make sure.
(this is a good way to damage the computer badly)

Now follow carefully these directions.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


If combofix ran for you, then you should be able to install and run HijackThis now:

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks
 
Thank you for you help so far. I will restrain my urges to tinker and follow instructions faithfully.

I removed all traces of combofix. I disabled Avira and exited Comodo. I ran ERUNT. I tried to run resetteatimer.bat but the server says file not found (on my uninfected systems too).

I then downloaded a fresh combofix directly to the desktop but it steadfastly refuses to run all. It does not even register that I am clicking on it. I tried to rename it and that also failed to generate a response. Likewise safe mode generated no response from combofix.exe

What is our next step?
 
Just so you know, this is a nasty infection, there are criminals from the Ukraine involved, see this from the log you posted:
85.255.112.101 <<< http://whois.domaintools.com/85.255.112.101
http://en.wikipedia.org/wiki/Russian_Business_Network
These criminals are likely looking for information they can turn into $$$, you may want to consider a reformat because even if we clean up the isues, there is no way to be sure we can get it all.

Next I would like to send you information via a private message. Please be sure your spam filters do not send the PM to trash. Let me know that you received the message.

Thanks
 
See if you can post a HJT log now. Hold your questions if possible until the end of the cleanup, information I post then usually answers them.

Once you get a HJT log posted, post also an uninstall list.
Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks...Phil
 
Logfile of Trend Micro HijackThis v2.0.2

I
Hi Phil,
Hi Phil,
SorryScan saved at 10:28:48 PM, on 8/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet\Comodo Firewall Pro\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Utilities\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Utilities\nHancer\nHancerService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DVDRW\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Utilities\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Utilities\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Utilities\DAEMON Tools\daemon.exe
C:\Program Files\Audio\nTune\nTuneService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Utilities\BlueSoleil\BlueSoleil.exe
C:\Program Files\Utilities\Nostromo\nost_LM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/iview/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\DVDRW\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Utilities\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Utilities\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Internet\Comodo Firewall Pro\cfp.exe" -h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Internet\Comodo Firewall Pro\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Internet\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\Audio\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\Utilities\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Utilities\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\tmc51llt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\tmc51llt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Utilities\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Utilities\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Internet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Internet\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.101,85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{05B5AC85-3927-49BF-A58E-319AC8B81DD4}: NameServer = 85.255.112.101,85.255.112.113
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Internet\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Internet\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Utilities\BlueSoleil\BTNtService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Internet\Comodo Firewall Pro\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\Utilities\nHancer\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\Audio\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 11673 bytes



Uninstall List follows:

@BIOS Ver.2.05
Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Advanced SystemCare 3
AGEIA PhysX v7.09.13
All Mobile Mines - Pocket PC Edition 4.0.0
Application Suite
Application Suite
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Back4Win
BlueSoleil
CDisplay 1.8
COMODO Firewall Pro
CompuApps SwissKnife V3
Core FTP LE 1.3c
Critical Update for Windows Media Player 11 (KB959772)
Dasur SlideIT English - Demo
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DMIView B06.1227.01
DriveImage XML
Driver Sweeper 1.0
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EA Download Manager
Easy Graphic Converter 1.2
EasyBCD 1.7.2
EasyTune5
Enable S3 for USB Device
EndItAll 2.0
ERUNT 1.1j
ETC B07.0509.01
Face_Wizard B07.0509.01
FlashGet(JetCar)
Fraps (remove only)
Gigabyte Raid Configurer
Gimp 2.6.0
Google Updater
Guild Wars
Handy Recovery 1.0
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
i-Cool
InfraRecorder
iolo technologies' System Mechanic 5 Professional
IrfanView (remove only)
IsoBuster 1.4
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LightCommubicator QVGA Setup
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft ActiveSync
Microsoft Keyboard Layout Creator 1.4
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Voice Command US PPC 1.60 for M2M
MozBackup 1.4.6
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Multimedia Combo Set
nHancer
Nostromo Array Programming Software
Notepad++
NVIDIA Drivers
NVIDIA nTune
Nvidia Omega Drivers v2.169.21 Setup Files
PC Wizard 2008.1.84
PowerDVD
PowerQuest PartitionMagic 8.0
PTDD Partition Table Doctor 3.5
PunkBuster Services
QuickTime Alternative 1.81
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SoftMaker Office 2008 (C:\Program Files\PDA\SoftMaker Office 2008)
Sonic RecordNow! Deluxe
SPORE™
TMPGEnc DVD Author 1.5
TMPGEnc DVD Source Creator 2.0
TMPGEnc Sound Player
Tweak UI
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Dual Vibration Joystick
USB2.0 Card Reader
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
VideoLAN VLC media player 0.8.6c
Warfare Incorporated(TM) for Pocket PC
Winamp
Windows Internet Explorer 8
Windows Mobile Resources
Windows Mobile Resources
Windows XP Service Pack 3
WinHTTrack Website Copier 3.43-4
WinRAR archiver
WorldCard Mobile
XQDC X-Setup Pro 9.0.100
 
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX <<< check this
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 8.1.5 <<< out of date and unsafe:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 13 <<< valid but 14 is released if interested.
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Rest are out of date and unsafe and need to be uninstalled.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: FlO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\Internet\FlashGet\jc_all.htm G
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.101,85.255.112.113 G
O17 - HKLM\System\CS1\Services\Tcpip\..\{05B5AC85-3927-49BF-A58E-319AC8B81DD4}: NameServer = 85.255.112.101,85.255.112.113

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks...Phil
 
I followed instructions by first looking at my installs. I removed many things I did not need and installed the scanner you recommended then did what it asked... except it kept telling me my Firefox was version 2 when it is not...

After the uninstalls I noticed that Acrobat 7 Pro kept wanting to update and install material. To be safe I uninstalled it for now along with pdf reader.

Before launching Hijackthis as requested I noticed that the lines changed slightly from your instructions. I noted:

O3 - Toolbar: FlO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\Internet\FlashGet\jc_all.htm G

had changed to

O3 - Toolbar:FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

While

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.101,85.255.112.113 G

lost the G

The last one was unchanged.

I checked the boxes and ran the fix despite the name changes.

I downloaded and ran ATF and then downloaded malwarebytes which I duly installed.

Malwarebytes refused to update. I tried twice. I then checked this version against the version on my laptop. Database on the infected machines was out of date. I reebooted the infected machine and a sucessful update occured. I then started a full scan.


During the malwarebytes scan Avira reported some findings. This was unexpected. I Exported the events as follows:

9/06/2009 19:45 [Guard] Malware found
Virus or unwanted program 'TR/Alureon.BU.1 [trojan]'
detected in file 'C:\System Volume
Information\_restore{A750442D-B18B-49BB-A0C3-B58B6F0731CD}\RP0\A0000003.dll.
Action performed: Move file to quarantine

9/06/2009 19:44 [Guard] Malware found
Virus or unwanted program 'TR/Obfuscator.ER [trojan]'
detected in file 'C:\System Volume
Information\_restore{A750442D-B18B-49BB-A0C3-B58B6F0731CD}\RP0\A0000002.dll.
Action performed: Move file to quarantine

9/06/2009 19:44 [Guard] Malware found
Virus or unwanted program 'TR/Obfuscator.ER [trojan]'
detected in file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcvdkyjmgwdxsmgbjiharlfnoelcujmaed.d
ll.vir.
Action performed: Move file to quarantine

9/06/2009 19:42 [Guard] Malware found
Virus or unwanted program 'TR/Alureon.BU.1 [trojan]'
detected in file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcaeorvkgvptlqxwsqjbrkqaowtfikgpss.d
ll.vir.
Action performed: Move file to quarantine

Taking a clue from the avira log I noticed "system restore" had turned itself back on with nasties hidding in the system volume information. I turned system restore back off and left malwarebytes to do its job.


Malwarebytes log:

Malwarebytes' Anti-Malware 1.37
Database version: 2252
Windows 5.1.2600 Service Pack 3

9/06/2009 9:03:42 PM
mbam-log-2009-06-09 (21-03-42).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 231960
Time elapsed: 1 hour(s), 28 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0a0dc48b-8ec8-4f20-b57b-c3c92166d0b3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.101,85.255.112.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0a0dc48b-8ec8-4f20-b57b-c3c92166d0b3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.101,85.255.112.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3fffa5cc-5cdf-48ef-bd6f-6f66bf1ad04a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.101,85.255.112.113 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\HUADRV.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\program files\MarkFunDrv.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:19 PM, on 9/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet\Comodo Firewall Pro\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Utilities\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Utilities\nHancer\nHancerService.exe
C:\Program Files\Audio\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DVDRW\PowerDVD\PDVDServ.exe
C:\Program Files\Utilities\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Utilities\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Internet\Comodo Firewall Pro\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Internet\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Utilities\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Utilities\BlueSoleil\BlueSoleil.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Utilities\Nostromo\nost_LM.exe
C:\Program Files\Utilities\Secunia\PSI\psi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/iview/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\DVDRW\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Utilities\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Utilities\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Internet\Comodo Firewall Pro\cfp.exe" -h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Internet\Comodo Firewall Pro\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Internet\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\Audio\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\Utilities\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Utilities\Secunia\PSI\psi.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Utilities\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\tmc51llt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\tmc51llt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Utilities\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Utilities\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Internet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Internet\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Internet\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Internet\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Utilities\BlueSoleil\BTNtService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Internet\Comodo Firewall Pro\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\Utilities\nHancer\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\Audio\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 9629 bytes

How is my computer running now? I "looks" back to normal but I do not trust it yet and keep the network cable pulled except when you tell me to download something.
 
Thanks for the feedback, right you are, Avira is finding infected System Restore and stuff in combofix quarantine. I am not sure how the uninstaller will work and you might have to remove combofix manually (delete) We want to be sure it is completely removed since it does not update, especially the C:\Qoobox\Quarantine\ folder.

Let's proceed like this and see how it goes.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update AntiVir Desktop and scan the system, to be sure it is running right and scanning clean.
Good information:
http://www.free-av.com/en/support/index.html


If all is well at this point, let me know and I will close the topic.
(let me know about any issues that need to be resolved at this point)

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
Combofix is now removed

As per your instructions I disabled System Restore , rebooted and then re-enabled.

I patched up Avira and also checked mwb (it seems to be up to date).

I will run both overnight and check if I get clean logs. If they come back with problems I will post in the morning - so please do not close just yet.

Thank you for all your help so far. I was totally lost and I really appreciate your time, efforts and professionalism on this.


Outstanding questions:
I am an inquisitive beast by nature so please excuse the number of questions. I will understand if you decline to answer any or all.

1- Is this a good time to re-install spybot?

2- Is it wise to include other products such as adaware or spyware doctor (the one which comes with googlepack)?

3- I moved some data to an external harddrive - just files, no executables. What precautions should I take before hooking that drive up to anything (system restore on the external drive is turned off)?

4- You mentioned that for this infection that there is no way to be certain we got it all. If I reformat the drive, what the chances of any nasties surviving in some form such boot sectors etc?

5- If I back up data for a reformat what should I do to try and minimise the chances of importing a risk into a newly formated OS?

6- Why does PSI report my Firefox as version 2.0.x when it is actually 3.0.10? Should I be concerned?


My thanks again and I will post at least one last time. Either I will report the logs are clean or... well if there is a problem I will post the logs.

Once again, and it cannot be said enough, thank you so much and my best wishes to you. :thanks:

Fingers crossed. I am setting the scans to run and going to bed.
 
1) wait until you complete the scans and are sure all is running as it should, then install it from here:
http://www.safer-networking.org/en/download/index.html
Here are good links for Spybot S&D information:
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

2) I personally use neither of those, please read what the experts have to say in the links I provided before you make that call.

3) You should be able to scan that drive with Avira and MBAM to be sure.

4) Here is some information you can view:
http://www.google.com/search?hl=en&q=hidden+rootkit+infections&btnG=Search&aq=f&oq=&aqi=
The junk can be hidden so well that it is impossible to guarantee it is gone without a reformat. A reformat wipes the drive clean, the only way something can get on the computer is if it is installed after the reformat.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

5) The links I posted in #4 should answer that question.

6) Good question, I update Firefox from within the program and always run the newest version. Why don't you ask that question here:
http://secunia.com/vulnerability_scanning/personal/support_and_help/
If you experience problems with the Secunia PSI, we strongly recommend that you join our free Secunia Community Forum and post your question.
Click to expand...

Let me know what you find (email) and perhaps I'll have an answer for the next member who asks.

Thanks...Phil
 
After the first good nights sleep since this happened I have the logs

Malwarebytes reports no problems

Avira reports three warnings only:

c:\pagefile.sys could not be opened
c:\windows\system32\drivers\sptd.sys could not be opened
f:\hiberfil.sys could not be opened

I did a quick google and there seems to be various opinions on sptd.sys - not all of them helpful. I will check it more carefully after work.

hiberfil.sys apparently relates to hibernate mode. I wil check this more carefully to.

From memory pagefile relates to virtual memory. Would a warning on it be normal? Sorry if I am paranoid at the moment but caution seems wise.

Thank you again for the links and further suggestions. I guess I have some light reading for the next few days :)

I will follow up the firefox issue in the next few days as well and see if I can get an answer.

I will check back on the thread to make sure noting in this post generates a response needing more action.

Thank you again Phil and the wonderful people here who give your time and expertise to us after we do something dumb. :bigthumb:
 
THanks for the above.

One final note. The machine in question dual boots XP and Vista. XP caught the infection. Should I take any specific precautions on the Vista boot part of the machine?
 
Hummm...I must have missed you tell me that, why don't you boot to Vista and run MBAM, see if it shows anything at all.
 
Malwarebytes shows no problems or warnings when run in Vista (scanned the whole system to be safe). :D:

Still caution shall be my watch word for the immediate future.

I guess this brings us the sucessfull end. I understand no guarantees can be made. I am horrified at the complexity of the infection and the ease with which I contracted it despite what I though were adequate precautions. I am impressed with you tenacity, skill and dedication. My thanks. :angel:
 
Status
Not open for further replies.
Back
Top