Merry XMAS - I have a rootKit!

[awmross]

I can't get rid of a rootkit.

Malwarebytes detects it, but doesn't remove it. "Rootkit.TDSS"

I am doing everything in Windows Safe Mode, as the computer locks up if run in normal mode.

I have XP.

I've attached DDS.txt, ark.txt and the malwareBytes log as instructed.

Thanks in advance for your help.

Here is the printout of DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK

Run by Administrator at 21:20:41.10 on Thu 24/12/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.721 [GMT 11:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\HPQ\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\Administrator\My Documents\Andreas\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [sDMSSplash] "c:\program files\hp_sdms\sdmssplash\launcher.exe" "launchdir=c:\program files\hp_sdms\SDMSSplash"

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule

mRun: [Recguard] c:\windows\sminst\Recguard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [scheduler] c:\windows\sminst\Scheduler.exe

mRun: [instantAccess] c:\progra~1\textbr~1.0\bin\INSTAN~1.EXE /h

mRun: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: stagingconnections.com\cag

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: IfxWlxEN - IfxWlxEN.dll

Notify: igfxcui - igfxdev.dll

Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli AsWlnPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3o01ybzt.default\

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-24 207792]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-7 31104]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-8 36608]

S0 tvffdr;tvffdr;c:\windows\system32\drivers\raixo.sys --> c:\windows\system32\drivers\raixo.sys [?]

S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-24 112592]

S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-24 359624]

S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-24 1141712]

=============== Created Last 30 ================

2009-12-24 10:15:09 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2009-12-24 09:15:46 883 ----a-w- c:\windows\RegSDImport.xml

2009-12-24 09:15:46 880 ----a-w- c:\windows\RegISSImport.xml

2009-12-24 09:15:46 767952 ----a-w- c:\windows\BDTSupport.dll

2009-12-24 09:15:46 149456 ----a-w- c:\windows\SGDetectionTool.dll

2009-12-24 09:15:46 131 ----a-w- c:\windows\IDB.zip

2009-12-24 09:15:46 1152444 ----a-w- c:\windows\UDB.zip

2009-12-24 09:15:45 165840 ----a-w- c:\windows\PCTBDRes.dll

2009-12-24 09:15:45 1640400 ----a-w- c:\windows\PCTBDCore.dll

2009-12-24 09:12:42 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2009-12-24 09:12:42 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-12-24 09:12:38 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-12-24 09:12:38 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2009-12-24 09:12:38 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-12-24 09:12:38 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-12-24 09:12:35 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2009-12-24 09:12:35 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-12-24 09:12:30 0 d-----w- c:\program files\Spyware Doctor

2009-12-24 09:12:30 0 d-----w- c:\program files\common files\PC Tools

2009-12-24 09:12:30 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2009-12-24 09:12:30 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools

2009-12-20 19:35:58 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2009-12-20 19:31:09 0 d-----w- c:\documents and settings\administrator\DoctorWeb

2009-12-20 19:14:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-20 19:14:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-20 19:14:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-20 19:14:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-19 20:30:12 0 d-----w- c:\program files\trend micro

2009-12-19 19:36:17 657 ----a-w- c:\windows\system32\krl32mainweq.dll

2009-12-19 19:35:12 206 ----a-w- c:\windows\system32\srcr.dat

2009-12-04 01:43:13 0 d-sh--w- c:\documents and settings\administrator\IECompatCache

==================== Find3M ====================

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2009-04-04 02:20:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040420090405\index.dat

============= FINISH: 21:21:15.43 ===============

Attach.zip

mbam_log_2009_12_24__19_58_30_.txt

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[awmross]

The system seems more stable now. I can run in normal mode....

I've attached the files as requested.

Cheers

ComboFix.txt

hijackthislog.txt

[awmross]

Running a Fast Scan in MalwareBytes detects no malicious files. Does this mean it's fixed?

If so, I thank you very much for your help.

[screen317]

Hi,

More to do, let's continue.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

MEMSWEEP2

tvffdr

File::

c:\windows\system32\1.tmp

c:\windows\system32\drivers\raixo.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

[awmross]

As requested

hijackthislog2.txt

ComboFix.txt

[screen317]

Hi,

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\chg.exe

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[awmross]

I couldn't find a file called chg.exe. I unticked all the 'hide' options in explorer. I also checked from a dos prompt but the file isn't there. I also tried booting into safe mode but still no sign of the file.

The surrounding files are

chcp.com

chkdsk.exe

No chg.exe??

The F-Secure results:

Scanning Report

Friday, January 1, 2010 13:33:01 - 14:15:01

Computer name: SEZHP

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

15 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Adtech (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Rootkit.TDSS.AJ (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP679\A0054653.SYS (Renamed & Submitted)

Gen:Trojan.Heur.Vundo.by4@dSV7Byh (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP679\A0054654.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 45716

System: 3392

Not scanned: 7

Actions:

Disinfected: 13

Renamed: 2

Deleted: 0

Not cleaned: 0

Submitted: 2

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_DGRTZN7BJGR8E5AN2CMJ

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

And the checkup.txt

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

McAfee Security Scan

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

Sophos Anti-Rootkit 1.5.0

HijackThis 2.0.2

Java 6 Update 14

Java SE Runtime Environment 6 Update 1

Java 6 Update 3

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[screen317]

Hi,

Don't worry about chg.exe; it's probably gone now.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterwards. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

[awmross]

Done.

One question. In one of the stages, I ran a program called "defogger.exe" or similar. There was a last step that involved uninstalling / switching off the "defogger" program, but they stressed that should only be done once the system had been fixed. Is that something I have to do now??

[screen317]

Hi,

Yes Defogger needs to be run again.

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Let me know if any other issues remain.

-screen317

[awmross]

Everything seems fine.

[screen317]

Great.

Good work. Your log appears to be clean!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one.

All of the following are excellent free antiviruses. Be sure to only install one.

Microsoft Security Essentials

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[awmross]

Thanks so much for your help.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!