BigD Posted February 1, 2009 ID:52431 Share Posted February 1, 2009 Hello,My home computer is infected with Spyware Protect 2009, which gives me false waring and redirects my internet browsers (both Firefox and IE) to some junk website. I have done some online research and was advised to install Malwarebytes and run some scans. However, I was unable to install MBAM, the setup was gone after the language option window. AVG anti virus wouldn't update either. I hope that my computer can be saved. Any help is appreciated.Thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 1, 2009 Root Admin ID:52475 Share Posted February 1, 2009 Hi there, please run this.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
BigD Posted February 2, 2009 Author ID:52670 Share Posted February 2, 2009 Thank you for your prompt response. I had to download ComboFix to my other computer and transfer it to my infected computer as my access to the download website (and this forum) is blocked. I tried to install ComboFix and it wouldn't proceed, nothing happened after I double-clicked the icon. I am searching the BleepingComputer forum to resolve the problem and will post the log if I can get it to work. I think I am in deep trouble. Thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:52933 Share Posted February 3, 2009 Try renaming the file, but keep the .EXE extension. Try running it from SAFE MODE if you can.If neither of those work then try to download and run this program please.RootRepeal - Rootkit DetectorPlease download the following tool: RootRepeal - Rootkit DetectorDirect download link is here: RootRepeal.rarIf you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRARExtract the program file to a new folder such as C:\RootRepealRun the program RootRepeal.exe and go to the REPORT tab and click on the Scan buttonSelect ALL of the checkboxes and then click OK and it will start scanning your system.If you have multiple drives you only need to check the C: drive or the one Windows is installed on.When done, click on Save ReportSave it to the same location where you ran it from, such as C:\RootRepealSave it as your_name_rootrepeal.txt - where your_name is your forum nameThis makes it more easy to track who the log belongs to.Then open that log and select all and copy/paste it back on your next reply please.Quit the RootRepeal program. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53045 Share Posted February 3, 2009 Please post a status update on this. Link to post Share on other sites More sharing options...
BigD Posted February 4, 2009 Author ID:53253 Share Posted February 4, 2009 Hello,Sorry for the delay and thank you for your patience. I had to take my computer to school and connected to internet using their proxy setting. I was able to install the new version of antivirus. I also was able to install MalwareBytes. I perform full scans using both programs and found several infections. The fake warnings are gone and I am able to access internet. Will run ComboFix right after posting this and will post the log as soon as the scan is done.Thanks again. Link to post Share on other sites More sharing options...
BigD Posted February 4, 2009 Author ID:53290 Share Posted February 4, 2009 I run ComboFix and here is the result log. Thank you.ComboFix.txtComboFix.txt Link to post Share on other sites More sharing options...
BigD Posted February 4, 2009 Author ID:53291 Share Posted February 4, 2009 Not sure if I should attach the file. So here's the text from the log file. Thank youComboFix 09-02-02.04 - Owner 2009-02-03 20:51:12.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.126 [GMT -6:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exeAV: Sophos Anti-Virus *On-access scanning disabled* (Updated) * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\Owner\LOCALS~1\Temp\tmp1.tmpc:\windows\system32\TDSSosvd.datc:\windows\system32\TDSSpqxt.dat.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_TDSSSERV.SYS-------\Service_TDSSserv.sys((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 ))))))))))))))))))))))))))))))).2009-02-03 01:23 . 2009-02-03 01:23 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes2009-02-02 23:00 . 2009-02-02 23:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-02 23:00 . 2009-02-02 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-02 23:00 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-02 23:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-02 13:42 . 2009-02-02 13:39 130,104 --a------ c:\windows\system32\sdccoinstaller.dll2009-02-02 13:41 . 2009-02-02 13:41 <DIR> d-------- c:\program files\Common Files\Cisco Systems2009-02-02 13:41 . 2009-02-02 13:39 23,552 --a------ c:\windows\system32\sophosboottasks.exe2009-02-02 13:40 . 2009-02-02 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sophos2009-02-02 13:39 . 2009-02-02 13:39 104,704 --a------ c:\windows\system32\drivers\savonaccesscontrol.sys2009-02-02 13:39 . 2009-02-02 13:39 35,584 --a------ c:\windows\system32\drivers\savonaccessfilter.sys2009-02-02 13:39 . 2009-02-02 13:39 14,976 --a------ c:\windows\system32\drivers\SophosBootDriver.sys2009-02-01 09:22 . 2009-02-01 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks2009-01-31 02:05 . 2009-01-31 02:05 <DIR> d-------- c:\program files\CCleaner2009-01-31 01:24 . 2004-06-23 12:39 <DIR> d--h----- c:\documents and settings\Administrator\WLANProfiles2009-01-31 01:24 . 2004-06-23 12:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec2009-01-31 01:24 . 2004-06-23 13:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberLink2009-01-31 01:24 . 2009-02-02 17:05 <DIR> d-------- c:\documents and settings\Administrator2009-01-29 22:15 . 2009-02-02 16:11 <DIR> d----c--- c:\windows\system32\DRVSTORE2009-01-29 22:13 . 2009-02-02 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft2009-01-29 05:27 . 2009-01-29 05:27 <DIR> d-------- c:\program files\AVG2009-01-29 05:27 . 2009-02-02 17:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg82009-01-14 23:41 . 2009-01-14 23:41 118 --a------ c:\windows\system32\MRT.INI2009-01-13 18:59 . 2009-01-13 21:34 54,156 --ah----- c:\windows\QTFont.qfn2009-01-13 18:59 . 2009-01-13 18:59 1,409 --a------ c:\windows\QTFont.for.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-02 19:40 --------- d-----w c:\program files\Sophos2009-02-02 19:34 --------- d-----w c:\program files\Sophos SWEEP for NT2009-02-01 15:22 --------- d-----w c:\program files\TVUPlayer2009-01-31 15:20 --------- d-----w c:\program files\Amazon2009-01-05 05:40 --------- d-----w c:\program files\Google2008-12-28 12:26 --------- d-----w c:\program files\TVAnts2008-12-17 03:34 --------- d-----w c:\documents and settings\Owner\Application Data\ZoomBrowser EX2008-12-17 03:33 --------- d-----w c:\documents and settings\Owner\Application Data\CameraWindowDC2008-12-12 14:40 --------- d-----w c:\documents and settings\Owner\Application Data\CANON INC2008-12-12 03:09 --------- d-----w c:\program files\Canon2008-12-12 02:54 --------- d--h--w c:\program files\InstallShield Installation Information2008-12-12 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser2008-12-12 02:49 --------- d-----w c:\program files\Common Files\Canon2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys2005-06-06 20:49 4,962,812 ----a-w c:\program files\SophosRemoteUpdater.exe2008-08-17 00:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081620080817\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-22 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 98304]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 499712]"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-10-21 25214]Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-02-02 245760][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]2003-12-16 17:49 110592 c:\windows\system32\LgNotify.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]@="service"[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnkbackup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterCheck Monitor.LNK]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNKbackup=c:\windows\pss\InterCheck Monitor.LNKCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UT Southwestern Medical Center VPN Client.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UT Southwestern Medical Center VPN Client.lnkbackup=c:\windows\pss\UT Southwestern Medical Center VPN Client.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WkCalRem.LNK]path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WkCalRem.LNKbackup=c:\windows\pss\WkCalRem.LNKStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]--a------ 2005-04-04 17:58 856064 c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]--a------ 2005-02-17 00:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]--a------ 2008-09-19 16:34 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]--a------ 2003-06-18 13:00 200704 c:\program files\Microsoft Money\System\mnyexpr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]--a------ 2007-09-04 15:40 6856704 c:\program files\MSN Messenger\msnmsgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]--a------ 2003-12-10 03:36 86016 c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]--a------ 2003-10-31 20:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2008-11-03 22:49 136600 c:\program files\Java\jre6\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]--a------ 2008-10-22 14:05 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]--a------ 2008-09-19 16:34 4347120 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"Viewpoint Manager Service"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\SopCast\\adv\\SopAdver.exe"="c:\\Program Files\\SopCast\\SopCast.exe"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-02-02 104704]R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-02-02 35584]R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2009-02-02 69632]R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2009-02-02 98304]S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-02-02 14976]S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f54d1f0-55fc-11d9-9220-0003251879fa}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe\Shell\Explore\command - E:\system.exe\Shell\Open\command - E:\system.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9367b00-797e-11db-95b2-0003251879fa}]\Shell\AutoRun\command - E:\LaunchU3.exe.Contents of the 'Scheduled Tasks' folder2009-02-03 c:\windows\Tasks\3AM Scan.job- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-02 13:39]2009-02-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13].- - - - ORPHANS REMOVED - - - -MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exeMSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exeMSConfigStartUp-Eragocohu - c:\windows\Msaveziv.dllMSConfigStartUp-Exoviloxegi - c:\windows\ehimecusuramujo.dllMSConfigStartUp-iPrint Event Monitor - c:\windows\system32\iprntlgn.exeMSConfigStartUp-iPrint Tray - c:\windows\system32\iprntctl.exeMSConfigStartUp-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeMSConfigStartUp-svschost - c:\windows\system32\svschost.exeMSConfigStartUp-sysguard - c:\windows\sysguard.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/uInternet Settings,ProxyServer = proxy.swmed.edu:3128uInternet Settings,ProxyOverride = *.utsouthwestern.edu;*.swmed.edu;*.swmed.org;;;<local>uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comIE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htmIE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htmIE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htmFF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oh7uxp9t.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oh7uxp9t.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-03 20:59:54Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(768)c:\windows\System32\LgNotify.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\ZCfgSvc.exec:\windows\system32\S24EvMon.exec:\windows\system32\1XConfig.exec:\program files\UTSW VPN\UTSW VPN Client\cvpnd.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\HPZipm12.exec:\windows\system32\RegSrvc.exec:\windows\system32\snmp.exec:\program files\Sophos\Remote Management System\ManagementAgentNT.exec:\program files\Sophos\AutoUpdate\ALsvc.exec:\program files\Sophos\Remote Management System\RouterNT.exec:\windows\system32\wdfmgr.exec:\program files\Canon\CAL\CALMAIN.exe.**************************************************************************.Completion time: 2009-02-03 21:05:01 - machine was rebootedComboFix-quarantined-files.txt 2009-02-04 03:04:56Pre-Run: 21,648,896,000 bytes freePost-Run: 22,251,577,344 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn255 --- E O F --- 2009-01-15 05:44:11 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53400 Share Posted February 4, 2009 STEP 1The logs show that you have Sophos Anti-Virus as well as AVG8 on the system.You need to choose one or the other and FULLY remove the other one. Anti-Virus products conflict with each other.You need to update or remove your Adobe Acrobat but you can do that when we're done.Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and AcrobatSTEP 2Please download Avenger 2.0 from hereOpen and copy the program file avenger.exe to your Desktop then double click to start it.Copy and paste the following text from the code box below into the main window of Avenger.Files to delete:c:\windows\system32\sdccoinstaller.dllc:\windows\QTFont.qfnc:\windows\QTFont.forRegistry keys to delete:HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f54d1f0-55fc-11d9-9220-0003251879fa}Do not check any other boxes, uncheck Scan for Rootkits if it's checkedClose all other running applicationsAfter pasting the text into the main window, click on ExecuteOnce Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.STEP 3Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
BigD Posted February 4, 2009 Author ID:53457 Share Posted February 4, 2009 Here is the Avenger log:////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600, Service Pack 3)Wed Feb 04 10:35:25 200910:35:14: Error: Invalid registry syntax in command:"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f54d1f0-55fc-11d9-9220-0003251879fa}"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry key deletion mode) //////////////////////////////////////////Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:File "c:\windows\system32\sdccoinstaller.dll" deleted successfully.File "c:\windows\QTFont.qfn" deleted successfully.File "c:\windows\QTFont.for" deleted successfully.Completed script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
BigD Posted February 4, 2009 Author ID:53459 Share Posted February 4, 2009 Here is the MBAM log:Malwarebytes' Anti-Malware 1.33Database version: 1725Windows 5.1.2600 Service Pack 32/4/2009 10:52:30 AMmbam-log-2009-02-04 (10-52-30).txtScan type: Quick ScanObjects scanned: 59225Time elapsed: 9 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
BigD Posted February 4, 2009 Author ID:53462 Share Posted February 4, 2009 And, here is the HJT log. Thanks a bunch once again:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:01:14 AM, on 2/4/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\1XConfig.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\UTSW VPN\UTSW VPN Client\cvpnd.exeC:\Program Files\Sophos\AutoUpdate\ALMon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\RegSrvc.exeC:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exeC:\Program Files\Sophos\AutoUpdate\ALsvc.exeC:\Program Files\Sophos\Remote Management System\RouterNT.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.swmed.edu:3128R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.utsouthwestern.edu;*.swmed.edu;*.swmed.org;;;<local>R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dllO2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdp32.dllO14 - IERESET.INF: START_PAGE_URL=http://www.gateway.comO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125339234887O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cabO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UTSW VPN\UTSW VPN Client\cvpnd.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exeO23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exeO23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exeO23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exeO23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exeO23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe--End of file - 10933 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53577 Share Posted February 5, 2009 Please click on START - RUN and copy/paste the line from the CODE Box into the Run command and hit OK.This will briefly blink a Window for a split second and that's it, it's done.REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f54d1f0-55fc-11d9-9220-0003251879fa} /FHow is the computer running now?Are there still any signs of an infection? Link to post Share on other sites More sharing options...
BigD Posted February 5, 2009 Author ID:53620 Share Posted February 5, 2009 Performed the Start-Run task as suggested. The computer is running a lot better. I can access internet and can update antivirus/malware softwares. The Sophos' On-access scanning still gives me infection reports once in a while, not sure if the antivirus is preventing these malwares from running or they're already in the system. MBAM showed no infections most of the time, though. It looks like I have my computer back. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53681 Share Posted February 5, 2009 Please do the following.Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.STEP 1Uninstall ComboFix.exeClick START then RUNNow type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.When shown the disclaimer, Select "2"Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exeSTEP 2Uninstall GMERClick on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.STEP 3Uninstall other toolsPlease Download OTMoveIt3 by Old Timer and save it to your Desktop.Double-click OTMoveIt3.exe to run it.While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.It should ask if you want to clean up, select Yes and allow the system to clean up these items.NOW please reboot your computer to finish the cleanup processSTEP 4Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.STEP 5Please empty/delete your Sophos quarantine files.STEP 6Empty the MBAM quarantine folder on the quarantine tab of the program.STEP 7Update Sophos to the latest definitions and do a FULL SCAN of your systemSTEP 8Let me know if Sophos finds anything else or not please. Link to post Share on other sites More sharing options...
BigD Posted February 6, 2009 Author ID:54086 Share Posted February 6, 2009 Followed your instructions and run Sophos scan. It found no infections. Uninstalling gmer failed, although I don't remember installing it. Thanks so much once again for your great help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 6, 2009 Root Admin ID:54192 Share Posted February 6, 2009 Great, all looks good now.I'll close your post soon so that other don't post into it and leave you with this information and suggestions.So how did I get infected in the first place?At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Install SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org Link to post Share on other sites More sharing options...
Recommended Posts