Franknbeans Posted October 20, 2009 ID:145973 Share Posted October 20, 2009 Let me provide some background first. I have twice used Malwarebytes with no problems but this time (and I even downloaded the latest version from 9/9/9) I am getting the message Unable to execute file c:\program files\Malwarebytes' Anti malware\mbam.exe. Create process failed; Code 2. The system cannot fiind the file specified. I followed directions for creating logs and since I could not run the Malware bytes scan, I am providing the HijackThis log below.ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:31:14 AM, on 10/20/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\mcshield.exeC:\Program Files\Network Associates\VirusScan\vstskmgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\PGPserv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Java\jre1.5.0_12\bin\jusched.exeC:\WINDOWS\system32\winupdate.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\Temp\_ex-08.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Eraser\Eraser.exeC:\Documents and Settings\brmartin.AD\Application Data\seres.exeC:\Documents and Settings\brmartin.AD\Application Data\svcst.exeC:\DOCUME~1\brmartin.AD\LOCALS~1\Temp\notepad.exeC:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Java\jre1.5.0_12\bin\jucheck.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O1 - Hosts: ::1 localhostO1 - Hosts: 209.44.111.62 surety.microsoft.comO1 - Hosts: 209.44.111.62 aware-protect.comO1 - Hosts: 209.44.111.62 www.aware-protect.comO2 - BHO: C:\WINDOWS\system32\jjlghj.dll - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\jjlghj.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exeO4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exeO4 - HKLM\..\Run: [unayifopawuqewid] rundll32.exe "C:\WINDOWS\uyusupahogevope.dll",StartupO4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hideO4 - HKCU\..\Run: [mserv] C:\Documents and Settings\brmartin.AD\Application Data\seres.exeO4 - HKCU\..\Run: [svchost] C:\Documents and Settings\brmartin.AD\Application Data\svcst.exeO4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\brmartin.AD\LOCALS~1\Temp\notepad.exeO4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exeO4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')O4 - Global Startup: PGPtray.exe.lnk = ?O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cabO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.bu.eduO17 - HKLM\Software\..\Telephony: DomainName = ad.bu.eduO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.bu.eduO20 - AppInit_DLLs: mad.dll PGPmapih.dll,fosifopu.dllO21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\system32\kkmemlnh.dll (file missing)O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\jjlghj.dllO23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exeO23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeO23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe--End of file - 7521 bytes Link to post Share on other sites More sharing options...
Rosty Posted October 20, 2009 ID:146133 Share Posted October 20, 2009 Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix when you've accomplished that. Link to post Share on other sites More sharing options...
Franknbeans Posted October 21, 2009 Author ID:146533 Share Posted October 21, 2009 Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix when you've accomplished that.Here's what I did Rosty. I couldn't wait for a response so I went ahead and downloaded the Anti-Malware program on my home computer, put it on a flash drive and then placed it on my work computer. That enabled me to run mbam.exe. I did the full scan and that seemed to work except after it was done it said it could not delete a handful of files and that they would be added to the Delete on Reboot list. So, I re-booted and then I received a bunch of error messages to the effect that the image is not valid (mainly in .dll and .exe files). I just clicked out of all of them by saying OK and my computer is working better and I am not getting the incessant messages popping up saying I need to download an anti-viris program. I did notice that the text below all of my desktop icons is now highlighted as if I clicked on them but I didn't. I am re-running mbam.exe (the quick scan) to see if it comes up with anything else. During the quick scan, Malwarebytes found 10 additional infections. Again, when I tried to remove selected files, I am getting a message saying that certain items could not be removed. All items that could not be removed have been added to the delete on reboot list. I am pasting the log from the second (quick) run of the Anti-Malware program...Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 210/21/2009 9:56:37 AMmbam-log-2009-10-21 (09-56-37).txtScan type: Quick ScanObjects scanned: 186287Time elapsed: 34 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 3Registry Data Items Infected: 3Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\SYSTEM32\fujobila.dll (Trojan.Vundo.H) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{d9fa0c23-4b0a-4153-b335-8274d440dbf5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miyoviboz (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d9fa0c23-4b0a-4153-b335-8274d440dbf5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pajusumon (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fujobila.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fujobila.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\SYSTEM32\fujobila.dll (Trojan.Vundo.H) -> Delete on reboot.C:\Documents and Settings\brmartin.AD\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.I appreciate any help you can provide. Link to post Share on other sites More sharing options...
Rosty Posted October 21, 2009 ID:146540 Share Posted October 21, 2009 Can you please follow my first advice and download and run ComboFix.Post that log here for me so I can take a look. Link to post Share on other sites More sharing options...
Franknbeans Posted October 21, 2009 Author ID:146684 Share Posted October 21, 2009 Can you please follow my first advice and download and run ComboFix.Post that log here for me so I can take a look.Sorry Rosty for getting impatient but here it is...ComboFix 09-10-20.03 - brmartin 10/21/2009 13:31.1.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.177 [GMT -4:00]Running from: c:\documents and settings\brmartin.AD\My Documents\Downloads\ComboFix.exe * Resident AV is active.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\documents and settings\brmartin.AD\Application Data\lizkavd.exec:\documents and settings\brmartin.AD\Application Data\seres.exec:\documents and settings\brmartin.AD\Local Settings\Temporary Internet Files\Tvm.logc:\documents and settings\brmartin.AD\ntuser.dllc:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\scandisk.dllc:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\scandisk.lnkc:\documents and settings\brmartin\Local Settings\Temporary Internet Files\Tvm.logc:\documents and settings\luziwei\Local Settings\Temporary Internet Files\Tvm.logc:\program files\WinPCapc:\program files\WinPCap\rpcapd.exec:\windows\Installer\4449403.mspc:\windows\Installer\4449404.mspc:\windows\Installer\4449405.mspc:\windows\Installer\4449406.mspc:\windows\Installer\4449407.mspc:\windows\Installer\4449408.mspc:\windows\system32\calc.dllc:\windows\system32\config\systemprofile\ntuser.dllc:\windows\system32\drivers\npf.sysc:\windows\system32\fosifopu.dll.tmpc:\windows\system32\gatinuro.dllc:\windows\system32\hidekeli.dll.tmpc:\windows\system32\juneteyo.dllc:\windows\system32\Packet.dllc:\windows\system32\pthreadVC.dllc:\windows\system32\sikafupo.dll.tmpc:\windows\system32\WanPacket.dllc:\windows\system32\wpcap.dllc:\windows\system32\yesigoju.dllc:\windows\uyusupahogevope.dllc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to deletec:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete----- BITS: Possible infected sites -----hxxp://wsus.bumc.bu.educ:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_NPF-------\Service_npf((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 ))))))))))))))))))))))))))))))).2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe2009-10-21 11:01 . 2009-10-21 11:01 -------- d-----w- c:\windows\Sun2009-10-21 09:32 . 2009-10-21 13:55 -------- d-----w- c:\program files\MWdump2009-10-20 14:34 . 2009-10-20 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache2009-10-20 14:30 . 2009-10-20 14:30 -------- d-----w- c:\program files\Trend Micro2009-10-20 13:41 . 2009-10-21 09:31 0 ----a-w- c:\windows\Gqutubovisidubad.bin2009-10-20 13:41 . 2009-10-21 11:32 120 ----a-w- c:\windows\Bmoqahukurubohoj.dat2009-10-20 13:41 . 2009-10-20 13:41 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}2009-10-20 13:26 . 2009-10-20 13:26 27648 ----a-w- C:\vyiy.exe2009-10-20 13:26 . 2009-10-20 13:26 53248 ----a-w- C:\ldvx.exe2009-10-20 13:26 . 2009-10-20 13:26 23040 ----a-w- C:\dtacmawh.exe2009-10-20 13:26 . 2009-10-20 13:26 19456 ----a-w- C:\chhite.exe2009-10-20 13:26 . 2009-10-20 13:26 50688 ----a-w- C:\buxuhto.exe2009-10-19 18:10 . 2009-10-19 18:10 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\SAS Institute Inc2009-10-19 18:06 . 2009-10-19 18:07 -------- d-----w- c:\program files\Java2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\program files\Common Files\Java2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\Sun2009-10-19 18:01 . 2009-10-19 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SAS2009-10-19 18:00 . 2009-10-19 18:00 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\SAS2009-10-14 09:58 . 2009-09-04 20:45 58880 ------w- c:\windows\system32\dllcache\msasn1.dll2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\drivers\wceusbsh.sys2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-20 14:23 . 2008-12-10 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-10-19 18:09 . 2003-03-19 21:46 -------- d--h--w- c:\program files\InstallShield Installation Information2009-10-19 18:08 . 2005-10-26 14:11 -------- d-----w- c:\program files\SAS2009-10-19 17:54 . 2004-11-01 18:01 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\AdobeUM2009-10-01 19:07 . 2009-08-06 14:08 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\U32009-09-24 11:27 . 2005-07-13 17:10 78688 ----a-w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-09-11 14:33 . 2001-08-18 13:00 133632 ----a-w- c:\windows\system32\msv1_0.dll2009-09-10 18:54 . 2008-12-10 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 18:53 . 2008-12-10 15:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-09 15:20 . 2009-09-09 12:12 -------- d-----w- c:\program files\Uniblue2009-09-09 13:01 . 2009-09-09 13:01 -------- d-----w- c:\program files\Common Files\i4j_jres2009-09-04 20:45 . 2001-08-18 13:00 58880 ----a-w- c:\windows\system32\msasn1.dll2009-08-29 08:08 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll2009-08-26 08:16 . 2003-03-31 18:42 247326 ----a-w- c:\windows\system32\strmdll.dll2009-08-06 23:24 . 2004-08-14 09:00 327896 ----a-w- c:\windows\system32\wucltui.dll2009-08-06 23:24 . 2004-08-14 09:00 209632 ----a-w- c:\windows\system32\wuweb.dll2009-08-06 23:24 . 2005-07-13 17:15 44768 ----a-w- c:\windows\system32\wups2.dll2009-08-06 23:24 . 2004-08-14 09:00 35552 ----a-w- c:\windows\system32\wups.dll2009-08-06 23:24 . 2003-03-31 18:43 53472 ----a-w- c:\windows\system32\wuauclt.exe2009-08-06 23:24 . 2003-03-31 18:38 96480 ----a-w- c:\windows\system32\cdm.dll2009-08-06 23:23 . 2004-08-14 09:00 575704 ----a-w- c:\windows\system32\wuapi.dll2009-08-06 23:23 . 2003-03-31 18:43 1929952 ----a-w- c:\windows\system32\wuaueng.dll2009-08-05 09:11 . 2003-03-31 18:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-08-04 14:00 . 1980-01-01 06:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe2009-08-04 13:13 . 1980-01-01 06:00 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe2009-07-23 19:26 . 2009-07-23 19:26 66484 ----a-w- c:\windows\system32\PGPlspRollback.reg2004-08-04 18:29 . 2004-09-02 12:38 94208 ----a-w- c:\program files\mozilla firefox\components\BrandRes.dll2004-08-04 18:29 . 2004-09-02 12:38 150912 ----a-w- c:\program files\mozilla firefox\components\fullsoft.dll2004-08-04 18:28 . 2004-09-02 12:38 53349 ----a-w- c:\program files\mozilla firefox\components\jar50.dll2004-08-04 18:29 . 2004-09-02 12:38 61535 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll2004-08-04 18:29 . 2004-09-02 12:38 24685 ----a-w- c:\program files\mozilla firefox\components\qfaservices.dll2004-08-04 18:28 . 2004-09-02 12:38 168039 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll2009-07-20 14:34 . 2009-07-20 14:34 27136 --sha-w- c:\windows\SYSTEM32\lojaloke.exe2009-07-21 09:30 . 2009-07-21 09:30 53760 --sha-w- c:\windows\SYSTEM32\zudeyuwi.dll2009-03-21 14:18 . 2001-08-18 13:00 23552 --sha-w- c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\scandisk.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]2009-03-04 23:19 612920 ----a-w- c:\windows\SYSTEM32\PGPfsshl.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-12-08 77824]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]"Malwarebytes Anti-Malware (reboot)"="c:\program files\MWdump\mbam.exe" [2009-09-10 1312080][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk - c:\windows\Installer\{6798F012-57C5-49AD-9A9D-4097616F4E1B}\Icon6560581611.exe [2009-7-23 55296][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli PGPpwflt[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\0\0]"Script"=WRQAudit.V3.vbs[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\1\0]"Script"=WRQAudit.V3.vbs[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnkbackup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=c:\windows\pss\Microsoft Office.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnkbackup=c:\windows\pss\PrecisionTime.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnkbackup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^brmartin.AD^Start Menu^Programs^Startup^Rapid Antivirus.lnk]path=c:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\Rapid Antivirus.lnkbackup=c:\windows\pss\Rapid Antivirus.lnkStartup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R0 pgpfs;PGP File Sharing;c:\windows\SYSTEM32\DRIVERS\PGPfsfd.sys [3/4/2009 7:19 PM 135736]R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 11:51 AM 212992]R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 6:05 PM 39680]R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 6:06 PM 23744]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar = uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000LSP: c:\windows\system32\PGPlsp.dllDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\brmartin.AD\Application Data\Mozilla\Firefox\Profiles\default.ezn\FF - prefs.js: browser.startup.homepage - hxxp://dellnet.msn.com/FF - component: c:\program files\Mozilla Firefox\components\qfaservices.dllFF - HiddenExtension: XULRunner: {23E74077-D5D0-42F5-83CE-DEC845862F9D} - c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.block.target_new_window", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in secondsc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in secondsc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3pc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=customc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscoveryc:\program files\Mozilla Firefox\greprefs\all.js - pref("bidi.clipboardtextmode", 3);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", "0.9");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateVersion", "");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateDescription", "");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateURL", "");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 daysc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed. c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.count", 0);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlersc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of daysc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news .- - - - ORPHANS REMOVED - - - -BHO-{7d170e2d-a179-48e5-ab83-bca887b63425} - howibovu.dllHKLM-Run-Unayifopawuqewid - c:\windows\uyusupahogevope.dllHKLM-Run-vozinolozo - gatinuro.dllSharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)AddRemove-RDS Analysis Tool 5.6 - z:\sph\DCC\Dept\HIV Surveillance\RDSAT\rdsatdw\uninstall.exeAddRemove-WinTools_AD - c:\program files\Common files\WinTools\WToolsA.exeAddRemove-WinTools_ES - c:\program files\Common files\WinTools\WToolsA.exeAddRemove-WinTools_IES - c:\program files\Common files\WinTools\WToolsA.exeAddRemove-WinTools_KW - c:\program files\Common files\WinTools\WToolsA.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-21 15:03Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(708)c:\windows\system32\BUGina.dllc:\windows\system32\PGPlsp.dll- - - - - - - > 'lsass.exe'(764)c:\windows\system32\PGPlsp.dll- - - - - - - > 'explorer.exe'(3484)c:\windows\system32\WININET.dllc:\windows\system32\PGPhk.dllc:\windows\system32\PGPfsshl.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dll.------------------------ Other Running Processes ------------------------.c:\program files\Dell\OpenManage\Client\Iap.exec:\program files\Network Associates\Common Framework\FrameworkService.exec:\program files\Network Associates\VirusScan\mcshield.exec:\program files\Network Associates\VirusScan\vstskmgr.exec:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exec:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exec:\windows\system32\PGPserv.exec:\combofix\CF30377.exec:\program files\PGP Corporation\PGP Desktop\PGPtray.exec:\program files\Java\jre1.5.0_12\bin\jucheck.exec:\combofix\PEV.cfxxe.**************************************************************************.Completion time: 2009-10-21 15:12 - machine was rebootedComboFix-quarantined-files.txt 2009-10-21 19:12Pre-Run: 61,560,115,200 bytes freePost-Run: 64,437,444,608 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn- - End Of File - - E751178FD1FF996554E712B590F4CB33 Link to post Share on other sites More sharing options...
Rosty Posted October 21, 2009 ID:146704 Share Posted October 21, 2009 1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::c:\windows\Gqutubovisidubad.binc:\windows\Bmoqahukurubohoj.datC:\vyiy.exeC:\ldvx.exeC:\dtacmawh.exeC:\chhite.exeC:\buxuhto.exec:\windows\SYSTEM32\lojaloke.exec:\windows\SYSTEM32\zudeyuwi.dll3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
Franknbeans Posted October 27, 2009 Author ID:149454 Share Posted October 27, 2009 Comboxfix.txt...ComboFix 09-10-26.03 - brmartin 10/27/2009 6:07.2.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.196 [GMT -4:00]Running from: c:\documents and settings\brmartin.AD\My Documents\Downloads\ComboFix.exeCommand switches used :: c:\documents and settings\brmartin.AD\Desktop\CFScript.txt * Resident AV is activeFILE ::"C:\buxuhto.exe""C:\chhite.exe""C:\dtacmawh.exe""C:\ldvx.exe""C:\vyiy.exe""c:\windows\Bmoqahukurubohoj.dat""c:\windows\Gqutubovisidubad.bin""c:\windows\SYSTEM32\lojaloke.exe""c:\windows\SYSTEM32\zudeyuwi.dll".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\chhite.exec:\documents and settings\All Users\Desktop\nudetube.com.lnkc:\documents and settings\All Users\Desktop\pornotube.com.lnkc:\documents and settings\All Users\Desktop\youporn.com.lnkC:\dtacmawh.exec:\windows\Bmoqahukurubohoj.datc:\windows\Gqutubovisidubad.binc:\windows\SYSTEM32\lojaloke.exe.((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 ))))))))))))))))))))))))))))))).2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe2009-10-21 11:01 . 2009-10-21 11:01 -------- d-----w- c:\windows\Sun2009-10-21 09:32 . 2009-10-21 13:55 -------- d-----w- c:\program files\MWdump2009-10-20 14:34 . 2009-10-20 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache2009-10-20 14:30 . 2009-10-20 14:30 -------- d-----w- c:\program files\Trend Micro2009-10-20 13:41 . 2009-10-20 13:41 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}2009-10-19 18:10 . 2009-10-19 18:10 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\SAS Institute Inc2009-10-19 18:06 . 2009-10-19 18:07 -------- d-----w- c:\program files\Java2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\program files\Common Files\Java2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\Sun2009-10-19 18:01 . 2009-10-19 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SAS2009-10-19 18:00 . 2009-10-19 18:00 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\SAS2009-10-14 09:58 . 2009-09-04 20:45 58880 ------w- c:\windows\system32\dllcache\msasn1.dll2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\drivers\wceusbsh.sys2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-20 14:23 . 2008-12-10 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-10-19 18:09 . 2003-03-19 21:46 -------- d--h--w- c:\program files\InstallShield Installation Information2009-10-19 18:08 . 2005-10-26 14:11 -------- d-----w- c:\program files\SAS2009-10-19 17:54 . 2004-11-01 18:01 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\AdobeUM2009-10-01 19:07 . 2009-08-06 14:08 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\U32009-09-24 11:27 . 2005-07-13 17:10 78688 ----a-w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-09-11 14:33 . 2001-08-18 13:00 133632 ----a-w- c:\windows\system32\msv1_0.dll2009-09-10 18:54 . 2008-12-10 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 18:53 . 2008-12-10 15:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-09 15:20 . 2009-09-09 12:12 -------- d-----w- c:\program files\Uniblue2009-09-09 13:01 . 2009-09-09 13:01 -------- d-----w- c:\program files\Common Files\i4j_jres2009-09-04 20:45 . 2001-08-18 13:00 58880 ----a-w- c:\windows\system32\msasn1.dll2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll2009-08-26 08:16 . 2003-03-31 18:42 247326 ----a-w- c:\windows\system32\strmdll.dll2009-08-06 23:24 . 2004-08-14 09:00 327896 ----a-w- c:\windows\system32\wucltui.dll2009-08-06 23:24 . 2004-08-14 09:00 209632 ----a-w- c:\windows\system32\wuweb.dll2009-08-06 23:24 . 2005-07-13 17:15 44768 ----a-w- c:\windows\system32\wups2.dll2009-08-06 23:24 . 2004-08-14 09:00 35552 ----a-w- c:\windows\system32\wups.dll2009-08-06 23:24 . 2003-03-31 18:43 53472 ------w- c:\windows\system32\wuauclt.exe2009-08-06 23:24 . 2003-03-31 18:38 96480 ----a-w- c:\windows\system32\cdm.dll2009-08-06 23:23 . 2004-08-14 09:00 575704 ----a-w- c:\windows\system32\wuapi.dll2009-08-06 23:23 . 2003-03-31 18:43 1929952 ----a-w- c:\windows\system32\wuaueng.dll2009-08-05 09:11 . 2003-03-31 18:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-08-04 14:00 . 1980-01-01 06:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe2009-08-04 13:13 . 1980-01-01 06:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe2004-08-04 18:29 . 2004-09-02 12:38 94208 ----a-w- c:\program files\mozilla firefox\components\BrandRes.dll2004-08-04 18:29 . 2004-09-02 12:38 150912 ----a-w- c:\program files\mozilla firefox\components\fullsoft.dll2004-08-04 18:28 . 2004-09-02 12:38 53349 ----a-w- c:\program files\mozilla firefox\components\jar50.dll2004-08-04 18:29 . 2004-09-02 12:38 61535 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll2004-08-04 18:29 . 2004-09-02 12:38 24685 ----a-w- c:\program files\mozilla firefox\components\qfaservices.dll2004-08-04 18:28 . 2004-09-02 12:38 168039 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll.((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.03.22 ))))))))))))))))))))))))))))))))))))))))).+ 2009-10-26 09:44 . 2009-10-26 09:44 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]2009-03-04 23:19 612920 ----a-w- c:\windows\SYSTEM32\PGPfsshl.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-12-08 77824]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]"Malwarebytes Anti-Malware (reboot)"="c:\program files\MWdump\mbam.exe" [2009-09-10 1312080][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk - c:\windows\Installer\{6798F012-57C5-49AD-9A9D-4097616F4E1B}\Icon6560581611.exe [2009-7-23 55296][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli PGPpwflt[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\0\0]"Script"=WRQAudit.V3.vbs[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\1\0]"Script"=WRQAudit.V3.vbs[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnkbackup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=c:\windows\pss\Microsoft Office.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnkbackup=c:\windows\pss\PrecisionTime.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnkbackup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^brmartin.AD^Start Menu^Programs^Startup^Rapid Antivirus.lnk]path=c:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\Rapid Antivirus.lnkbackup=c:\windows\pss\Rapid Antivirus.lnkStartup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R0 pgpfs;PGP File Sharing;c:\windows\SYSTEM32\DRIVERS\PGPfsfd.sys [3/4/2009 7:19 PM 135736]R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 11:51 AM 212992]R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 6:05 PM 39680]R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 6:06 PM 23744]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/10/2008 11:20 AM 38224]--- Other Services/Drivers In Memory ---*NewlyCreated* - MBAMSWISSARMY*NewlyCreated* - MBR*Deregistered* - mbr..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar = uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000LSP: c:\windows\system32\PGPlsp.dllDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\brmartin.AD\Application Data\Mozilla\Firefox\Profiles\default.ezn\FF - prefs.js: browser.startup.homepage - hxxp://dellnet.msn.com/FF - component: c:\program files\Mozilla Firefox\components\qfaservices.dllFF - HiddenExtension: XULRunner: {23E74077-D5D0-42F5-83CE-DEC845862F9D} - c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.block.target_new_window", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in secondsc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in secondsc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3pc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=customc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscoveryc:\program files\Mozilla Firefox\greprefs\all.js - pref("bidi.clipboardtextmode", 3);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", "0.9");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateVersion", "");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateDescription", "");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateURL", "");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 daysc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed. c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.count", 0);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlersc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of daysc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news .**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-27 06:34Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(696)c:\windows\system32\BUGina.dllc:\windows\system32\PGPlsp.dllc:\windows\system32\igfxsrvc.dllc:\windows\system32\hccutils.DLL- - - - - - - > 'lsass.exe'(752)c:\windows\system32\PGPlsp.dll.Completion time: 2009-10-27 6:38ComboFix-quarantined-files.txt 2009-10-27 10:37ComboFix2.txt 2009-10-21 19:12Pre-Run: 64,342,167,552 bytes freePost-Run: 64,426,061,824 bytes free- - End Of File - - C157223C162673B247FDA28F0611B374Hijackthis LogLogfile of Trend Micro HijackThis v2.0.2Scan saved at 6:45:57 AM, on 10/27/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\mcshield.exeC:\Program Files\Network Associates\VirusScan\vstskmgr.exeC:\WINDOWS\system32\PGPserv.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Eraser\Eraser.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exeC:\Program Files\MWdump\mbam.exeC:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXEC:\WINDOWS\explorer.exeC:\WINDOWS\SYSTEM32\CALC.EXEC:\WINDOWS\system32\notepad.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MWdump\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hideO4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')O4 - Global Startup: PGPtray.exe.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cabO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.bu.eduO17 - HKLM\Software\..\Telephony: DomainName = ad.bu.eduO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.bu.eduO23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exeO23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeO23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe--End of file - 5345 bytes Link to post Share on other sites More sharing options...
Rosty Posted October 27, 2009 ID:149746 Share Posted October 27, 2009 Hi,those logs looks clean! How are things running know? Link to post Share on other sites More sharing options...
Franknbeans Posted October 28, 2009 Author ID:150263 Share Posted October 28, 2009 Hi,those logs looks clean! How are things running know?Much better! Thanks Rosty with all the help. It seemed the last run of combofix did the trick. Link to post Share on other sites More sharing options...
Rosty Posted October 28, 2009 ID:150472 Share Posted October 28, 2009 Your computer now seems to be clean. The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.Go to StartClick on RunType ComboFix /u (Note: This command is case sensitive.)Clean out Temporary Files etc. This program is for Vista, XP and Windows 2000 onlyPlease download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All. Then remove the check mark for cookiesClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button. Remove the check mark for CookiesNOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .If you use Opera browserClick Opera at the top and choose: Select All. Remove the check mark for CookiesClick the Empty Selected button. It is a good idea to do this every few weeks as a lot of junk collects there over time.[*]Create a new, clean System Restore point which you can use in case of future system problems:Press Start->All Programs->Accessories->System Tools->System RestoreSelect Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press CloseNow remove old, infected System Restore points:Next click Start->Run and type cleanmgr in the box and press OKEnsure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.Select the More Options tab, under System Restore press Clean up... and say Yes to the promptPress OK and Yes to confirm[*]Set correct settings for files that should be hidden in Windows XPClick Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.Under "Hidden files and folders" if necessary select Do not show hidden files and folders.If unchecked please checkHide protected operating system files (Recommended)If necessary check "Display content of system folders"If necessary Uncheck Hide file extensions for known file types.Click OK[*]Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.[*]Download and install the free version of Malwarebytes' Anti-Malware to your desktop. Check for the latest updates and perform a full system scan. This is an on-demand scanner and runs very well with Winpatrol.[*]If you are using Internet Explorer v. 7 please read and follow the recommendations at this site. http://surfthenetsafely.com/ieseczone8.htm[*]Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.[*]Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems. [*]Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.[*]Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above. [*]Please check out Tony Klein's article "How did I get infected in the first place?"Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)Regards,Rosty. Link to post Share on other sites More sharing options...
Recommended Posts