Jump to content

Possible Rogue Antivirus/Other Infections


Recommended Posts

I've recently discovered that my computer had several trojans, and a Rogue Antivirus as well. I've removed everything that's been found, but I'd like some reassurance before I return to using the computer normally as we do things like online banking on it, and I definitely do not want the security of my computer compromised whilst doing that.

Here are the logs - and thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:18:27 PM, on 2/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\dlcccoms.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\Program Files\Styler\Styler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\mIRC\mIRC.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE"

O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u

O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Startup: Styler.lnk = ?

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab

O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab

O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--

End of file - 9891 bytes

Malwarebytes' Anti-Malware 1.33

Database version: 1736

Windows 5.1.2600 Service Pack 2

2/7/2009 1:23:25 PM

mbam-log-2009-02-07 (13-23-25).txt

Scan type: Full Scan (C:\|)

Objects scanned: 157060

Time elapsed: 1 hour(s), 3 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Current logs look okay.

I would try an Online scan with like Kaspersky and see if it finds anything or not still.

Please run an online scan with Kaspersky

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Link to post
Share on other sites

Let me start off by thanking you for your help AdvancedSetup.

And I followed your instructions, here are the contents of the Kaspersky Scan Log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Saturday, February 7, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, February 07, 2009 23:01:24

Records in database: 1766336

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Files scanned: 87684

Threat name: 1

Infected objects: 1

Suspicious objects: 0

Duration of the scan: 01:33:06

File name / Threat name / Threats count

C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6)\29C4C791d01 Infected: not-a-virus:RiskTool.Win32.CloseApp.a 1

The selected area was scanned.

--------------------------------------

Now, I was speaking to a friend, and he told me that there is a possibility that the malware had left a backdoor of sorts onto my computer, and the only way to check this is due to a port scan. Realistically, should I be worried about a 'backdoor' having been left on my computer?

Link to post
Share on other sites

  • Root Admin

Well there is always a potential but neither MBAM nor Kaspersky and I assume your current Anit-Virus show it.

You can run the following though to check.

FIRST - Shut down ALL applications such as Web browsers, chat programs, mail, etc. Anything that might talk or connect to the Internet.

Then click on START - RUN and type in CMD and press the ENTER key.

This will put you in a DOS console window where you can then type the following commands and then press the ENTER key after each line to see the results.

nbtstat -R
ipconfig /flushdns
arp -d
netstat -vb

Then post back what it says. You can highlight and mark, copy the results by clicking the top left of the command window for options and paste it into a new NOTEPAD document.

It is normal to have some entries. It depends on what is connecting and why.

That is why a firewall with both inbound and outbound control adds another level of security to your system. XP with SP3 has an inbound but not outbound. Vista has both inbound and outbound on it's firewall.

Link to post
Share on other sites

I followed your instructions. Here are the results:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\louay>nbtstat -R

Successful purge and preload of the NBT Remote Cache Name Table.

C:\Documents and Settings\louay>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\louay>arp -d

C:\Documents and Settings\louay>netstat -vb

Active Connections

Proto Local Address Foreign Address State PID

TCP lg-eb5fa1895118:1036 localhost:27015 ESTABLISHED 2788

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\WS2_32.dll

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevi

ce.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[iTunesHelper.exe]

TCP lg-eb5fa1895118:27015 localhost:1036 ESTABLISHED 2032

C:\WINDOWS\system32\WS2_32.dll

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDevic

eService.exe

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[AppleMobileDeviceService.exe]

TCP lg-eb5fa1895118:4788 localhost:5152 FIN_WAIT_2 2992

-- unknown component(s) --

[system]

TCP lg-eb5fa1895118:4028 ip98-174-28-18.at.at.cox.net:http CLOSE_WAIT

1440

C:\WINDOWS\system32\ws2_32.dll

C:\WINDOWS\system32\WININET.dll

[jusched.exe]

TCP lg-eb5fa1895118:4666 64.78.182.201.webroot.com:http CLOSE_WAIT

1116

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

[WRConsumerService.exe]

TCP lg-eb5fa1895118:4667 72.5.172.203:http CLOSE_WAIT 1116

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

[WRConsumerService.exe]

TCP lg-eb5fa1895118:4668 64.78.182.201.webroot.com:http CLOSE_WAIT

1116

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

[WRConsumerService.exe]

TCP lg-eb5fa1895118:4669 72.5.172.203:http CLOSE_WAIT 1116

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

[WRConsumerService.exe]

TCP lg-eb5fa1895118:4670 72.5.172.203:http CLOSE_WAIT 1116

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

[WRConsumerService.exe]

TCP lg-eb5fa1895118:5152 localhost:4788 CLOSE_WAIT 676

C:\WINDOWS\system32\WS2_32.dll

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Java\jre6\bin\MSVCR71.dll

C:\WINDOWS\system32\kernel32.dll

[jqs.exe]

TCP lg-eb5fa1895118:4791 207.68.183.40:http TIME_WAIT 0

TCP lg-eb5fa1895118:4792 65.55.149.122:http TIME_WAIT 0

TCP lg-eb5fa1895118:4794 65.55.15.124:http TIME_WAIT 0

TCP lg-eb5fa1895118:4795 65.55.15.244:http TIME_WAIT 0

TCP lg-eb5fa1895118:4796 iw-in-f99.google.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4798 iw-in-f99.google.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4799 match.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4800 a72-246-89-111.deploy.akamaitechnologies.com:htt

p TIME_WAIT 0

TCP lg-eb5fa1895118:4801 208.83.240.16:http TIME_WAIT 0

TCP lg-eb5fa1895118:4802 ip98-174-28-66.at.at.cox.net:http TIME_WAIT

0

TCP lg-eb5fa1895118:4803 a72-246-89-111.deploy.akamaitechnologies.com:htt

p TIME_WAIT 0

TCP lg-eb5fa1895118:4805 surfcanyon.peakwebhosting.com:http TIME_WAIT

0

TCP lg-eb5fa1895118:4806 a-70-183-191-88.deploy.akamaitechnologies.com:ht

tp TIME_WAIT 0

TCP lg-eb5fa1895118:4807 iw-in-f99.google.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4809 www.dslreports.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4811 c18-rb-gtm1-tron-xw-lb.cnet.com:http TIME_WAIT

0

TCP lg-eb5fa1895118:4812 pcpitstop.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4814 205.227.136.88:http TIME_WAIT 0

TCP lg-eb5fa1895118:4815 205.227.136.90:http TIME_WAIT 0

TCP lg-eb5fa1895118:4816 c18-rb-gtm2-tron-xw-lb.cnet.com:http TIME_WAIT

0

TCP lg-eb5fa1895118:4817 mail.webproworld.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4819 205.227.136.88:http TIME_WAIT 0

TCP lg-eb5fa1895118:4820 surfcanyon.peakwebhosting.com:http TIME_WAIT

0

TCP lg-eb5fa1895118:4825 alpha.malwarebytes.org:http TIME_WAIT 0

TCP lg-eb5fa1895118:4834 iw-in-f127.google.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4835 204.160.104.126:http TIME_WAIT 0

TCP lg-eb5fa1895118:4837 saturn.mycity.co.yu:http TIME_WAIT 0

TCP lg-eb5fa1895118:4842 iw-in-f127.google.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4844 207.46.216.54:http TIME_WAIT 0

TCP lg-eb5fa1895118:4845 wwwbaytest2.microsoft.com:http TIME_WAIT

0

TCP lg-eb5fa1895118:4846 zone.msn.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4847 kasperskycom9.kaspersky-labs.com:http TIME_WAIT

0

TCP lg-eb5fa1895118:4848 secure.logmein.com:https TIME_WAIT 0

TCP lg-eb5fa1895118:4849 a72-246-47-190.deploy.akamaitechnologies.com:htt

p TIME_WAIT 0

TCP lg-eb5fa1895118:4852 69.25.20.48:https TIME_WAIT 0

TCP lg-eb5fa1895118:4854 207.68.183.40:http TIME_WAIT 0

TCP lg-eb5fa1895118:4855 199.7.71.72:http TIME_WAIT 0

TCP lg-eb5fa1895118:4856 OCSP.NYC3.verisign.com:http TIME_WAIT 0

TCP lg-eb5fa1895118:4857 199.7.71.72:http TIME_WAIT 0

TCP lg-eb5fa1895118:4858 fe.feeds.del.vip.ac4.yahoo.net:http TIME_WAIT

0

TCP lg-eb5fa1895118:4859 fe.feeds.del.vip.ac4.yahoo.net:http TIME_WAIT

0

TCP lg-eb5fa1895118:4749 localhost:5152 TIME_WAIT 0

C:\Documents and Settings\louay>ipconfig /flushdarp a

Error: unrecongnized or incomplete command line.

USAGE:

ipconfig [/? | /all | /renew [adapter] | /release [adapter] |

/flushdns | /displaydns | /registerdns |

/showclassid adapter |

/setclassid adapter [classid] ]

where

adapter Connection name

(wildcard characters * and ? allowed, see examples)

Options:

/? Display this help message

/all Display full configuration information.

/release Release the IP address for the specified adapter.

/renew Renew the IP address for the specified adapter.

/flushdns Purges the DNS Resolver cache.

/registerdns Refreshes all DHCP leases and re-registers DNS names

/displaydns Display the contents of the DNS Resolver Cache.

/showclassid Displays all the dhcp class IDs allowed for adapter.

/setclassid Modifies the dhcp class id.

The default is to display only the IP address, subnet mask and

default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address

leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid, if no ClassId is specified, then the ClassId is removed.

Examples:

> ipconfig ... Show information.

> ipconfig /all ... Show detailed information

> ipconfig /renew ... renew all adapters

> ipconfig /renew EL* ... renew any connection that has its

name starting with EL

> ipconfig /release *Con* ... release all matching connections,

eg. "Local Area Connection 1" or

"Local Area Connection 2"

C:\Documents and Settings\louay>

C:\Documents and Settings\louay>arp -d

C:\Documents and Settings\louay>

C:\Documents and Settings\louay>

Link to post
Share on other sites

  • Root Admin

That looks fine I did not notice any bad sites listed.

Please download this, then disconnect from the Internet and disable your current Anti-Virus and run it.

If this one also comes back clean then I think your all set and good to go.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

Dr. Web Log:

LSPatch.exe\data005;C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6)\29C4C791d01/;Tool.CloseApp;;

VistaVG Ultimate with Searchbar\LSPatch.exe;C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6)\29C4C791d01/;Archive contains infected objects;;

29C4C791d01;C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6);Archive contains infected objects;Moved.;

----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:21:17 PM, on 2/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\dlcccoms.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Styler\Styler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE"

O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Startup: Styler.lnk = ?

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab

O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab

O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--

End of file - 9649 bytes

Link to post
Share on other sites

  • Root Admin

Okay looks like Dr Web did find a few items. Let's run this tool and take a bit deeper look.

I might not be able to review it for a while depending on my work load. If I've not replied within 24 hours please post again or send me a PM.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

I'm not sure that what Dr. Web found was Malware, as it found the theme I have for my computer, and I've been using it safely for quite a while.

As requested, here are the new logs:

ComboFix 09-02-10.01 - louay 2009-02-10 15:33:01.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.337 [GMT -7:00]

Running from: c:\documents and settings\louay\Desktop\ComboFix.exe

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)

FW: Webroot Internet Security Essentials *disabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))

.

2009-02-08 15:27 . 2009-02-08 15:27 <DIR> d-------- c:\documents and settings\louay\DoctorWeb

2009-02-07 15:04 . 2009-02-07 15:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier

2009-02-07 15:04 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll

2009-02-07 15:04 . 2009-02-07 15:06 4,212 ---h----- c:\windows\system32\zllictbl.dat

2009-02-07 15:02 . 2009-02-07 15:18 <DIR> d-------- c:\windows\Internet Logs

2009-02-05 15:37 . 2009-02-05 15:37 <DIR> d-------- c:\program files\TechSmith

2009-02-05 15:26 . 2009-02-05 15:26 <DIR> d-------- c:\program files\MSBuild

2009-02-05 15:23 . 2009-02-06 22:24 <DIR> d-------- c:\windows\system32\XPSViewer

2009-02-05 15:22 . 2009-02-05 15:22 <DIR> d-------- c:\program files\Reference Assemblies

2009-02-03 15:40 . 2009-02-03 15:40 8,294,454 --a------ c:\windows\startup.bmp

2009-02-03 15:40 . 2006-08-09 20:58 218,624 --a------ c:\windows\system32\uxtheme.backup

2009-02-03 15:31 . 2009-02-06 22:26 <DIR> d-------- c:\windows\VistaMizer

2009-01-31 11:11 . 2009-01-31 11:11 <DIR> d-------- c:\program files\Common Files\Stardock

2009-01-29 18:19 . 2009-01-29 18:19 <DIR> d-------- c:\program files\Puzzle 1500

2009-01-29 18:19 . 2009-01-29 18:19 <DIR> d-------- c:\program files\Managed DirectX (0900)

2009-01-26 16:05 . 2009-01-26 16:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm

2009-01-26 16:04 . 2009-01-26 16:04 <DIR> d-------- c:\program files\Last.fm

2009-01-26 15:49 . 2009-01-26 15:49 <DIR> d--hs---- c:\documents and settings\louay\IECompatCache

2009-01-26 15:46 . 2009-01-26 15:46 <DIR> d--hs---- c:\documents and settings\louay\IETldCache

2009-01-26 15:38 . 2009-01-26 15:39 <DIR> d--h-c--- c:\windows\ie8

2009-01-26 15:36 . 2009-01-10 22:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll

2009-01-24 11:57 . 2009-01-24 11:57 <DIR> d-------- c:\program files\FormatFactory

2009-01-17 09:18 . 2009-01-17 09:18 <DIR> d-------- C:\Documents

2009-01-15 15:41 . 2009-01-15 15:45 <DIR> d-------- c:\documents and settings\louay\Application Data\BitZipper

2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui

2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui

2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-10 22:29 --------- d-----w c:\documents and settings\louay\Application Data\mIRC

2009-02-10 21:32 --------- d-----w c:\program files\mIRC

2009-02-10 00:25 --------- d-----w c:\program files\Dl_cats

2009-02-07 21:55 --------- d-----w c:\program files\OpenOffice.org 2.4

2009-02-07 20:35 --------- d-----w c:\program files\SUPERAntiSpyware

2009-02-07 20:35 --------- d-----w c:\documents and settings\louay\Application Data\OpenOffice.org2

2009-02-07 19:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-07 19:02 --------- d-----w c:\program files\Trend Micro

2009-02-07 14:45 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2009-02-05 22:16 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-31 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-31 18:11 --------- d-----w c:\program files\Stardock

2009-01-26 23:05 --------- d-----w c:\program files\iTunes

2009-01-25 23:25 31,760 ----a-w c:\documents and settings\louay\Application Data\GDIPFONTCACHEV1.DAT

2009-01-24 18:45 --------- d-----w c:\program files\Paint.NET

2009-01-23 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot

2009-01-23 21:32 --------- d-----w c:\program files\Webroot

2009-01-20 16:07 1,553,272 ----a-w c:\windows\WRSetup.dll

2009-01-15 09:05 911,872 ----a-w c:\windows\system32\wininet.dll

2009-01-15 09:05 43,008 ----a-w c:\windows\system32\licmgr10.dll

2009-01-15 09:04 18,944 ----a-w c:\windows\system32\corpol.dll

2009-01-15 09:03 72,704 ----a-w c:\windows\system32\admparse.dll

2009-01-15 09:03 71,680 ----a-w c:\windows\system32\iesetup.dll

2009-01-15 09:03 420,352 ----a-w c:\windows\system32\vbscript.dll

2009-01-15 09:01 34,304 ----a-w c:\windows\system32\imgutil.dll

2009-01-15 09:00 48,128 ----a-w c:\windows\system32\mshtmler.dll

2009-01-15 09:00 45,568 ----a-w c:\windows\system32\mshta.exe

2009-01-15 08:50 156,160 ----a-w c:\windows\system32\msls31.dll

2009-01-14 23:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 23:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-13 00:05 --------- d-----w c:\documents and settings\louay\Application Data\Notepad++

2009-01-10 23:40 --------- d-----w c:\program files\CCleaner

2009-01-08 00:26 --------- d-----w c:\program files\Styler

2009-01-08 00:25 --------- d-----w c:\documents and settings\louay\Application Data\Styler

2009-01-03 18:25 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-01 01:22 --------- d-----w c:\program files\Bonjour

2008-12-30 01:00 --------- d-----w c:\program files\MSN Messenger

2008-12-30 00:56 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller

2008-12-30 00:55 --------- d-----w c:\program files\Windows Live

2008-12-30 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller

2008-12-30 00:41 --------- d-----w c:\program files\Messenger Plus! Live

2008-12-30 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!

2008-12-22 16:33 --------- d-----w c:\program files\QuickTime

2008-12-22 16:21 --------- d-----w c:\program files\Windows Installer Clean Up

2008-12-22 16:21 --------- d-----w c:\program files\MSECACHE

2008-12-22 14:22 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!

2008-12-22 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion

2008-12-22 14:21 --------- d-----w c:\program files\Yahoo!

2008-12-22 01:49 --------- d-----w c:\program files\McAfee

2008-12-22 01:45 --------- d-----w c:\program files\Common Files\McAfee

2008-12-22 01:45 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor

2008-12-22 01:45 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2008-12-20 19:21 --------- d-----w c:\program files\Notepad++

2008-12-19 02:49 --------- d-----w c:\program files\Opera

2008-12-18 23:33 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-18 23:33 --------- d-----w c:\program files\Java

2008-12-18 23:13 --------- d-----w c:\program files\vixy.net

2008-12-16 23:34 --------- d-----w c:\program files\MediaMonkey

2008-12-12 18:18 87,336 ----a-w c:\windows\system32\dns-sd.exe

2008-12-12 18:11 61,440 ----a-w c:\windows\system32\dnssd.dll

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-10 23:35 --------- d-----w c:\program files\OpenOffice.org 3

2008-12-10 23:35 --------- d-----w c:\program files\JRE

2008-12-10 23:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-10 23:26 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit

2008-11-28 20:22 164 ----a-w C:\install.dat

2008-11-25 00:47 42,354 ----a-w c:\documents and settings\louay\Application Data\wklnhst.dat

2008-07-14 18:08 0 -c--a-w c:\documents and settings\louay\jagex_runescape_preferences.dat

2007-02-13 05:07 251 -c--a-w c:\program files\wt3d.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-07 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-22 339968]

"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-08 185872]

"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"UserFaultCheck"="c:\windows\system32\dumprep.exe" [2004-08-10 10752]

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-01-20 6278520]

"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]

c:\documents and settings\louay\Start Menu\Programs\Startup\

Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-01-31 3450608]

Styler.lnk - c:\documents and settings\louay\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-01-07 15086]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-02-07 13:35 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.mpg4"= c:\windows\mpg4c32.dll

"vidc.mpg2"= c:\windows\mpg4c32.dll

"vidc.mpg3"= c:\windows\mpg4c32.dll

"vidc.GEOX"= c:\windows\system32\v8120\GeoCodec.dll

"vidc.GEOV"= GeoCodec.dll

"vidc.G264"= c:\windows\system32\v8120\GX264.dll

"vidc.GM20"= GXGM20.dll

"vidc.GMP4"= c:\windows\system32\v8120\GXAMP4.dll

"vidc.GM40"= GXAMP4.dll

"vidc.MJPG"= m3jpeg32.dll

"vidc.dmb1"= m3jpeg32.dll

"msacm.geoadpcm"= c:\windows\system32\v8100\GeoADPCM.acm

"vidc.GM4H"= c:\windows\system32\v8120\GXAMP4D.dll

"vidc.GM4S"= c:\windows\system32\v8120\GXAMP4D.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

--a--c--- 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE]

-----c--- 2005-02-23 15:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

--a------ 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a--c--- 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

--a------ 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

--a------ 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

--a------ 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]

--a------ 2005-08-24 18:25 101080 c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2009-02-07 13:35 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2008-10-08 19:45 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2009-01-28 21:56 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\v8010\\DMMultiView\\MultiView.exe"=

"c:\\Program Files\\v8120\\DMMultiView\\MultiView.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-21 206096]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-11-28 1090936]

R3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [2006-11-14 376320]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-07 c:\windows\Tasks\cleanmgr.job

- c:\windows\system32\cleanmgr.exe [2004-08-10 04:00]

2009-02-08 c:\windows\Tasks\dfrg.job

- c:\windows\system32\dfrg.msc [2004-08-10 04:00]

2009-02-10 c:\windows\Tasks\wrSpySweeper_L421E2AA3F4ED4C2BAE764367B9B110DB.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-01-20 09:08]

2009-02-10 c:\windows\Tasks\wrSpySweeper_L421E2AA3F4ED4C2BAE764367B9B110DB.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-01-20 09:08]

2009-02-10 c:\windows\Tasks\wrSpySweeper_L421E2AA3F4ED4C2BAE764367B9B110DB.job

- C:\ [2009-02-10 15:32]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe

MSConfigStartUp-DSS - c:\windows\BBSTORE\DSS\DSSAGENT.EXE

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://216.185.184.229/ActiveView.cab

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://kwikwash.dipmap.com/cab/OCXChecker_8120.cab

DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://kwikwash.dipmap.com/cab/DownloadFile_8110.cab

FF - ProfilePath - c:\documents and settings\louay\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=chrff-brandt_off&type=000110X001US&p=

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 15:34:20

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2009-02-10 15:35:49

ComboFix-quarantined-files.txt 2009-02-10 22:35:47

Pre-Run: 210,575,208,448 bytes free

Post-Run: 211,050,975,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

286 --- E O F --- 2009-02-10 10:00:52

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:40:43 PM, on 2/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dlcccoms.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Styler\Styler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE"

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u

O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Startup: Styler.lnk = ?

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab

O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab

O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--

End of file - 9110 bytes

Link to post
Share on other sites

  • Root Admin

STEP 1

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\SpOrder.dll
c:\windows\startup.bmp
c:\windows\system32\uxtheme.backup
C:\install.dat

Folder::
c:\program files\Dl_cats

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 2

From within IE go to Tools/Internet Options/Advanced and click on the RESET button.

STEP 3

Then run one last MBAM update and scan. I think the system should be clean now.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

All I have to say is.. what the hell? You'll see once you look at the MBAM log. I also attached the ComboFix log incase that could be of any help.

Malwarebytes' Anti-Malware 1.34

Database version: 1750

Windows 5.1.2600 Service Pack 2

2/11/2009 5:44:33 PM

mbam-log-2009-02-11 (17-44-33).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 168210

Time elapsed: 40 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\RECYCLER\S-1-5-21-0982818026-0792038349-964117139-9221\service.exe (Trojan.Agent) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe (Trojan.Agent) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Bot) -> Delete on reboot.

C:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe (Backdoor.Bot) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise323.exe (Backdoor.Bot) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:53:46 PM, on 2/11/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Styler\Styler.exe

C:\WINDOWS\system32\dlcccoms.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE"

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Startup: Styler.lnk = ?

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab

O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab

O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--

End of file - 9269 bytes

log.txt

log.txt

Link to post
Share on other sites

  • Root Admin

That is just the TEMP folder and you did a FULL SCAN instead of a Quick Scan so it found stuff there.

STEP 1

Click on Start Run and type in COMBOFIX.EXE /U to remove Combofix.

STEP 2

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 3

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

STEP 4

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

A quick question - when I went to reboot after I turned System Restore off, I got the message, "Please do not turn off or unplug your computer; it will automatically turn off." Apparently, Windows was installing updates, however, this screen appeared for several hours. I decided to take the chance and turn off my computer and everything seems to be fine. I've turned off Automatic Updates for the time. Any idea whats causing this problem?

I don't have the time to run a Dr.Web CureIt scan at the moment, but I've done everything else, and here's the new HJT log. I'll post back once I run the Dr.Web scan.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:05:58 PM, on 2/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\dlcccoms.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Styler\Styler.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\mIRC\mIRC.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE"

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Startup: Styler.lnk = ?

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab

O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab

O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--

End of file - 9205 bytes

Link to post
Share on other sites

  • Root Admin

Well basically I think the system is probably clean now but I want you to run Dr Web to confirm that an Anti-Virus product does not find stuff either.

The HJT log is of no value for that.

Please run the Dr Web - let it run over night if you have to so that we can get confirmation if any other issues are left on the box or not.

Link to post
Share on other sites

I ran Dr. Web's express and complete scans, neither of them detected anything.

A quick question, when I'm running scans with MBAM, should I do a Quick Scan or a Full Scan - I ask this because you guys always say run the quick scan. Wouldn't the complete scan be the better option because it's more thorough? Or are there other specific reasons for doing so?

Link to post
Share on other sites

  • Root Admin

The quick scan hits all known location where live Malware may reside. The full scan will scan other locations and potentially remove some leftover items like in the Trash or System Restore but in general those items should not be a current threat to the system. Some AV products seem to block or attempt to block MB when it does a full scan. Some users don't like to spend the time waiting for a full scan either.

So as long as you're not having an issue with full scan and the time doesn't bother you then it's okay to run the full scan.

All looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.