UIPopupHidden...
#16
Posted 30 May 2008 - 04:35 AM
Register to Remove
#17
Posted 01 June 2008 - 08:13 AM
Edited by Snow, 01 June 2008 - 05:35 PM.
#18
Posted 01 June 2008 - 12:11 PM
#19
Posted 01 June 2008 - 05:36 PM
#20
Posted 04 June 2008 - 09:17 AM
:run combofix:
If you have an older virsion please delete it and download this newer one
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.log from combofix
2.new log from hijackthis
[/list]
Gringo
#21
Posted 04 June 2008 - 10:51 AM
here is the Combofix report and a new HJT report...
ComboFix 08-06-03.4 - MOM 2008-06-04 12:27:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.221 [GMT -4:00]
Running from: C:\Documents and Settings\MOM\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\MOM\Application Data\macromedia\Flash Player\#SharedObjects\CYSYDLJL\www.broadcaster.com
C:\Documents and Settings\MOM\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\MOM\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.
2008-06-01 09:53 . 2008-06-01 09:53 <DIR> d-------- C:\_OTMoveIt
2008-05-28 06:33 . 2008-05-28 06:34 <DIR> d-------- C:\Program Files\Panda Security
2008-05-26 21:42 . 2003-05-01 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-26 21:42 . 2008-05-26 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-26 08:33 . 2008-05-26 08:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 08:33 . 2008-05-26 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 06:39 . 2008-05-26 06:39 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Malwarebytes
2008-05-26 06:38 . 2008-05-26 06:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 06:38 . 2008-05-26 06:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 06:38 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 06:38 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 22:10 . 2008-05-25 22:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 11:07 . 2008-05-14 11:07 <DIR> d-------- C:\WINDOWS\system32\CodeBaby
2008-05-14 11:06 . 2005-07-12 02:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2008-05-14 11:06 . 2005-07-12 02:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2008-05-10 20:55 . 2008-05-10 20:55 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Uniblue
2008-05-10 20:10 . 2008-05-10 20:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-10 15:28 . 2008-05-10 15:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 15:27 . 2008-05-10 15:28 <DIR> d-------- C:\HJT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 16:53 1,225 ----a-w C:\Program Files\INSTALL.LOG
2008-06-01 16:36 --------- d-----w C:\Documents and Settings\DAN\Application Data\LimeWire
2008-05-30 14:59 --------- d-----w C:\Documents and Settings\MOM\Application Data\Image Zone Express
2008-05-27 18:24 --------- d-----w C:\Documents and Settings\MOM\Application Data\AdobeUM
2008-05-26 02:11 --------- d-----w C:\Program Files\Java
2008-05-26 02:01 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-14 15:07 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-05 01:34 --------- d-----w C:\Documents and Settings\MOM\Application Data\LimeWire
2008-05-03 01:45 --------- d-----w C:\Program Files\LimeWire
2008-04-19 17:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Bell
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 14:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-05-27 20:54 46,968 ----a-w C:\Documents and Settings\MEL\Application Data\GDIPFONTCACHEV1.DAT
2006-06-28 16:29 407,080 ----a-w C:\Program Files\msgr8us.exe
2006-03-18 18:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-02-07 23:03 2,906 ----a-w C:\Program Files\setuplog.txt
2006-01-13 14:19 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe
2005-10-29 04:06 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2005-10-27 15:26 516,031 ----a-w C:\Program Files\ccsetup124.exe
2005-10-27 01:40 2,314,920 ----a-w C:\Program Files\LimeWireWin.exe
2005-10-06 15:17 558,240 ----a-w C:\Program Files\GoogleToolbarInstaller.exe
2005-10-06 12:51 34,039,576 ----a-w C:\Program Files\iTunesSetup.exe
2005-09-16 15:20 2,212,192 ----a-w C:\Program Files\wbsamp.exe
2005-09-16 14:16 3,563,166 ----a-w C:\Program Files\Propackcodec203b.exe
2005-09-15 12:28 21,226,656 ----a-w C:\Program Files\freedom_5_0_10_bell_en.exe
2005-04-19 23:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 14:21 102400]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-06-20 12:25 45056]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 11:33 2061816]
"Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 17:57 310000]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 17:57 13552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-11 14:48 180269]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 10:33 1468928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 19:53 54784 C:\WINDOWS\SOUNDMAN.EXE]
"OemReset"="C:\WINDOWS\OPTIONS\OEMRESET.exe" [ ]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 08:41 94208]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 11:52 218232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
C:\Documents and Settings\DAD\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 15:21:09 147456]
C:\Documents and Settings\MOM\UserData\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-16 11:20:49 45056]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-09-11 10:41:48 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= divxa32.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
backup=C:\WINDOWS\pss\VTAgentReboot.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-04-29 07:00 323584 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2002-11-14 22:34 266240 C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StandardInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"Motive SmartBridge"=C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechGalleryRepair"=C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 11:59]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 17:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 17:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 03:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-27 16:10:50 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 12:30:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-04 12:35:17
ComboFix-quarantined-files.txt 2008-06-04 16:35:03
Pre-Run: 63,580,258,304 bytes free
Post-Run: 63,565,185,024 bytes free
181 --- E O F --- 2008-05-27 21:23:44
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:02 PM, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bell\Security Manager\PrtlAgt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.co...w-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.s...nadaActiveX.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F04FE050-90DE-4EDD-A719-7CF3EBA4175E} (DetectCtl Class) - http://transition.sy...ystemdetect.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://signup.msn.c...ages/msxml3.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
--
End of file - 10244 bytes
Thank you!
Snow
#22
Posted 04 June 2008 - 03:38 PM
Boot into Safe Mode
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
KILLALL:: Folder:: C:\My old Disk Structure -- 05-09-08 0901PM
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.log from combofix
[/list]
Gringo
#23
Posted 04 June 2008 - 05:43 PM
Edited by Snow, 04 June 2008 - 05:44 PM.
#24
Posted 05 June 2008 - 11:34 AM
Cfscript is what I want you to make with notepadWhat is CFScript?? is it the ComboFix log?
:Run CFScript:
Cfscript is a text file that I want you to make with notepad
Click on start-->then all programs-->accessories-->then notepad
Open Notepad and copy/paste the text in the box into the window:
KILLALL:: Folder:: C:\My old Disk Structure -- 05-09-08 0901PM
Save it to your desktop as CFScript.txt
click on file then save as
save it as cfscript.txt on your desktop
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
#25
Posted 05 June 2008 - 12:41 PM
here are the results...
ComboFix 08-06-03.4 - MOM 2008-06-05 14:15:16.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.361 [GMT -4:00]
Running from: C:\Documents and Settings\MOM\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MOM\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\My old Disk Structure -- 05-09-08 0901PM\Documents and Settings\Diane\ntuser.dat
C:\My old Disk Structure -- 05-09-08 0901PM\Documents and Settings\Diane\ntuser.ini
C:\My old Disk Structure -- 05-09-08 0901PM . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.
2008-06-01 09:53 . 2008-06-01 09:53 <DIR> d-------- C:\_OTMoveIt
2008-05-28 06:33 . 2008-05-28 06:34 <DIR> d-------- C:\Program Files\Panda Security
2008-05-26 21:42 . 2003-05-01 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-26 21:42 . 2008-05-26 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-26 08:33 . 2008-05-26 08:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 08:33 . 2008-05-26 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 06:39 . 2008-05-26 06:39 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Malwarebytes
2008-05-26 06:38 . 2008-05-26 06:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 06:38 . 2008-05-26 06:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 06:38 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 06:38 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 22:10 . 2008-05-25 22:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 11:07 . 2008-05-14 11:07 <DIR> d-------- C:\WINDOWS\system32\CodeBaby
2008-05-14 11:06 . 2005-07-12 02:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2008-05-14 11:06 . 2005-07-12 02:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2008-05-10 20:55 . 2008-05-10 20:55 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Uniblue
2008-05-10 20:10 . 2008-05-10 20:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-10 15:28 . 2008-05-10 15:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 15:27 . 2008-05-10 15:28 <DIR> d-------- C:\HJT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 17:56 --------- d-----w C:\Documents and Settings\MOM\Application Data\Image Zone Express
2008-06-03 16:53 1,225 ----a-w C:\Program Files\INSTALL.LOG
2008-06-01 16:36 --------- d-----w C:\Documents and Settings\DAN\Application Data\LimeWire
2008-05-27 18:24 --------- d-----w C:\Documents and Settings\MOM\Application Data\AdobeUM
2008-05-26 02:11 --------- d-----w C:\Program Files\Java
2008-05-26 02:01 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-14 15:07 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-05 01:34 --------- d-----w C:\Documents and Settings\MOM\Application Data\LimeWire
2008-05-03 01:45 --------- d-----w C:\Program Files\LimeWire
2008-04-19 17:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Bell
2007-05-27 20:54 46,968 ----a-w C:\Documents and Settings\MEL\Application Data\GDIPFONTCACHEV1.DAT
2006-06-28 16:29 407,080 ----a-w C:\Program Files\msgr8us.exe
2006-03-18 18:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-02-07 23:03 2,906 ----a-w C:\Program Files\setuplog.txt
2006-01-13 14:19 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe
2005-10-29 04:06 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2005-10-27 15:26 516,031 ----a-w C:\Program Files\ccsetup124.exe
2005-10-27 01:40 2,314,920 ----a-w C:\Program Files\LimeWireWin.exe
2005-10-06 15:17 558,240 ----a-w C:\Program Files\GoogleToolbarInstaller.exe
2005-10-06 12:51 34,039,576 ----a-w C:\Program Files\iTunesSetup.exe
2005-09-16 15:20 2,212,192 ----a-w C:\Program Files\wbsamp.exe
2005-09-16 14:16 3,563,166 ----a-w C:\Program Files\Propackcodec203b.exe
2005-09-15 12:28 21,226,656 ----a-w C:\Program Files\freedom_5_0_10_bell_en.exe
2005-04-19 23:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-04_12.34.49.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 10:05:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 18:20:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-06-20 19:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-11-20 15:04:18 117,088 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-ca.dll
+ 2006-06-20 19:44:02 117,560 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
+ 2008-06-05 18:21:06 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Security Manager\IdxClnR.exe" [2007-08-27 17:56 61168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 14:21 102400]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-06-20 12:25 45056]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 11:33 2061816]
"Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 17:57 310000]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 17:57 13552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-11 14:48 180269]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 10:33 1468928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 19:53 54784 C:\WINDOWS\SOUNDMAN.EXE]
"OemReset"="C:\WINDOWS\OPTIONS\OEMRESET.exe" [ ]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 08:41 94208]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Security Manager\IdxClnR.exe" [2007-08-27 17:56 61168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 11:52 218232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
C:\Documents and Settings\DAD\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 15:21:09 147456]
C:\Documents and Settings\MOM\UserData\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-16 11:20:49 45056]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-09-11 10:41:48 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= divxa32.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
backup=C:\WINDOWS\pss\VTAgentReboot.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-04-29 07:00 323584 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2002-11-14 22:34 266240 C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StandardInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"Motive SmartBridge"=C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechGalleryRepair"=C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 11:59]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 17:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 17:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 03:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-27 16:10:50 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 14:21:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\snmp.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Security Manager\rpsupdaterr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Bell\Security Manager\PrtlAgt.exe
.
**************************************************************************
.
Completion time: 2008-06-05 14:34:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 18:33:42
ComboFix2.txt 2008-06-04 16:35:17
Pre-Run: 64,152,797,184 bytes free
Post-Run: 63,597,694,976 bytes free
210 --- E O F --- 2008-05-27 21:23:44
thank you
Snow
Register to Remove
#26
Posted 07 June 2008 - 01:46 PM
And how are we tonight?
A few loose ends to rap up before we finish this
: Recovery Console :
we need to install the Recovery Console on this computer
this is very important it could save you later
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
the one for you is Windows XP Service Pack 2 (SP2)
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Right click on the file C:\My old Disk Structure choose properties and let me know how big the file is ( I don't think it will be very big anymore and all the bad things are gone now anyway).
let me have the log from combofix and tell me how big C:\My old Disk Structure is.
Thanks
Gringo
#27
Posted 07 June 2008 - 10:19 PM
trying to stay cool with 42C humid heat..yuck
here is the Combofix log...the CF_RC.txt didnt show up.
the Old Disk Structure's size is 0 bytes with 0 files and 23folders
ComboFix 08-06-03.4 - MOM 2008-06-07 23:57:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT -4:00]
Running from: C:\Documents and Settings\MOM\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MOM\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.
2008-06-01 09:53 . 2008-06-01 09:53 <DIR> d-------- C:\_OTMoveIt
2008-05-28 06:33 . 2008-05-28 06:34 <DIR> d-------- C:\Program Files\Panda Security
2008-05-26 21:42 . 2003-05-01 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-26 21:42 . 2008-05-26 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-26 08:33 . 2008-05-26 08:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 08:33 . 2008-05-26 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 06:39 . 2008-05-26 06:39 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Malwarebytes
2008-05-26 06:38 . 2008-05-26 06:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 06:38 . 2008-05-26 06:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 06:38 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 06:38 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 22:10 . 2008-05-25 22:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 11:07 . 2008-05-14 11:07 <DIR> d-------- C:\WINDOWS\system32\CodeBaby
2008-05-14 11:06 . 2005-07-12 02:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2008-05-14 11:06 . 2005-07-12 02:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2008-05-10 20:55 . 2008-05-10 20:55 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Uniblue
2008-05-10 20:10 . 2008-05-10 20:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-10 15:28 . 2008-05-10 15:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 15:27 . 2008-05-10 15:28 <DIR> d-------- C:\HJT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 23:46 --------- d-----w C:\Documents and Settings\MOM\Application Data\AdobeUM
2008-06-06 17:05 --------- d-----w C:\Documents and Settings\MOM\Application Data\Image Zone Express
2008-06-03 16:53 1,225 ----a-w C:\Program Files\INSTALL.LOG
2008-06-01 16:36 --------- d-----w C:\Documents and Settings\DAN\Application Data\LimeWire
2008-05-26 02:11 --------- d-----w C:\Program Files\Java
2008-05-26 02:01 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-14 15:07 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-05 01:34 --------- d-----w C:\Documents and Settings\MOM\Application Data\LimeWire
2008-05-03 01:45 --------- d-----w C:\Program Files\LimeWire
2008-04-19 17:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Bell
2007-05-27 20:54 46,968 ----a-w C:\Documents and Settings\MEL\Application Data\GDIPFONTCACHEV1.DAT
2006-06-28 16:29 407,080 ----a-w C:\Program Files\msgr8us.exe
2006-03-18 18:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-02-07 23:03 2,906 ----a-w C:\Program Files\setuplog.txt
2006-01-13 14:19 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe
2005-10-29 04:06 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2005-10-27 15:26 516,031 ----a-w C:\Program Files\ccsetup124.exe
2005-10-27 01:40 2,314,920 ----a-w C:\Program Files\LimeWireWin.exe
2005-10-06 15:17 558,240 ----a-w C:\Program Files\GoogleToolbarInstaller.exe
2005-10-06 12:51 34,039,576 ----a-w C:\Program Files\iTunesSetup.exe
2005-09-16 15:20 2,212,192 ----a-w C:\Program Files\wbsamp.exe
2005-09-16 14:16 3,563,166 ----a-w C:\Program Files\Propackcodec203b.exe
2005-09-15 12:28 21,226,656 ----a-w C:\Program Files\freedom_5_0_10_bell_en.exe
2005-04-19 23:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-04_12.34.49.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 10:05:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 14:09:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-06-20 19:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-11-20 15:04:18 117,088 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-ca.dll
+ 2006-06-20 19:44:02 117,560 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
- 2008-05-20 15:38:52 8,577,024 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-06-06 18:12:56 8,671,232 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-05-20 15:38:53 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-06 18:12:56 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-07 14:10:24 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_518.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 14:21 102400]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-06-20 12:25 45056]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 11:33 2061816]
"Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 17:57 310000]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 17:57 13552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-11 14:48 180269]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 10:33 1468928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 19:53 54784 C:\WINDOWS\SOUNDMAN.EXE]
"OemReset"="C:\WINDOWS\OPTIONS\OEMRESET.exe" [ ]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 08:41 94208]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 11:52 218232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
C:\Documents and Settings\DAD\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 15:21:09 147456]
C:\Documents and Settings\MOM\UserData\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-16 11:20:49 45056]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-09-11 10:41:48 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= divxa32.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
backup=C:\WINDOWS\pss\VTAgentReboot.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-04-29 07:00 323584 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2002-11-14 22:34 266240 C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StandardInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"Motive SmartBridge"=C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechGalleryRepair"=C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 11:59]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 17:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 17:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 03:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-27 16:10:50 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 00:03:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-06-08 0:15:14
ComboFix-quarantined-files.txt 2008-06-08 04:14:05
ComboFix2.txt 2008-06-05 18:34:28
ComboFix3.txt 2008-06-04 16:35:17
Pre-Run: 63,652,671,488 bytes free
Post-Run: 63,619,457,024 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
192 --- E O F --- 2008-05-27 21:23:44
Thankx!
Snow
#28
Posted 07 June 2008 - 11:25 PM
wow that is 107 deg to me ouchtrying to stay cool with 42C humid heat..yuck
this is good it is all empty so any scans should go quickthe Old Disk Structure's size is 0 bytes with 0 files and 23folders
This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are
:Time for some housekeeping:
- Click START then RUN
- Now type Combofix /u in the runbox and click OK
:remove tools:
- Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Please download OTMoveIt and save it to desktop.
- Double click OTMoveIt.exe to launch the programme.
- Click on the CleanUp! button.
- OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- When finished exit out of OTMoveIt
- The tool will delete itself once it finishes, if not delete it by yourself.
:Set correct settings for files:
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
- If unchecked please check Hide protected operating system files (Recommended)
- If necessary check "Display content of system folders"
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
:clear system restore points:
- This is a good time to clear your existing system restore points and establish a new clean restore point:
- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
:Make your Internet Explorer more secure:please visit this page that gives instructions to do this
http://surfthenetsaf.../ieseczone8.htm
:Turn On Automatic Updates:
Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
:antispyware programs:
- you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also
I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
- WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
- Spybot Search & Destroy - Spybot is a tool like Ad-Aware SE whereas it seeks out and removes known spyware from your machine. These two tools (Ad-Aware & spybot) are perfect complements to each other as one will most always find something the other missed.
- Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
- IE_Spyad - Works by placing known "bad" sites into your Internet Explorer "Restricted Zones" prohibiting them from doing potentially problematic things to your computer.
Consider a custom hosts file
Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also please read this great article by Tony Klein So How Did I Get Infected In First Place
Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........
Malware Complaints
If you were infected .... Stand Up and be Counted.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.
Gringo
#29
Posted 08 June 2008 - 02:02 PM
Edited by Snow, 08 June 2008 - 02:02 PM.
#30
Posted 08 June 2008 - 03:30 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users