Johnny Sarcastic Posted June 24, 2008 ID:21049 Share Posted June 24, 2008 This all started with various popups and an overall slowdown of my PC. Through various means, I appear to have eliminated everything except this pesky MS Juan that keeps re-appearing, and was hoping that perhaps someone here could give me some help. I have the required logfiles here:Malwarebytes' Anti-Malware 1.18Database version: 8874:45:18 PM 24/06/2008mbam-log-6-24-2008 (16-45-18).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 107604Time elapsed: 1 hour(s), 18 minute(s), 23 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)---------------------------------------------------Panda:;***********************************************************************************************************************************************************************************ANALYSIS: 2008-06-24 17:42:46PROTECTIONS: 0MALWARE: 3SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP2\A0001111.exe00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP1\A0000014.exe02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP2\A0001112.exe02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP1\A0000015.exe;===================================================================================================================================================================================SUSPECTSSent Location o;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description o;=================================================================================================================================================================================== 150243 HIGH MS07-008 o 126087 HIGH MS06-046 o 120823 MEDIUM MS06-030 o 93454 MEDIUM MS05-049 o;===================================================================================================================================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:48:45, on 24/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20815)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Logitech\iTouch\iTouch.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: {1ba91dab-10ed-65ca-9a54-66e272eff89e} - {e98ffe27-2e66-45a9-ac56-de01bad19ab1} - C:\WINDOWS\system32\mnxpgehe.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...323/mcfscan.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Avira AntiVir Personal mbam_log_6_24_2008__16_45_18_.txtActiveScan.txtmbam_log_6_24_2008__16_45_18_.txtActiveScan.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 24, 2008 Root Admin ID:21054 Share Posted June 24, 2008 Hello Johnny S. and Welcome to the Malwarebytes site. Give me some time to review your logs and I'll be back with you soon. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 25, 2008 Root Admin ID:21059 Share Posted June 25, 2008 STEP 1Please upload the following file to this location and post back the results. C:\WINDOWS\system32\mnxpgehe.dllUpload for scanning to: virusscan.jotti.orgSTEP 2Start Hijackthis and do a Scan OnlyThen place a check mark on the following entriesO2 - BHO: {1ba91dab-10ed-65ca-9a54-66e272eff89e} - {e98ffe27-2e66-45a9-ac56-de01bad19ab1} - C:\WINDOWS\system32\mnxpgehe.dllO4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')Then click on Fix selectedSTEP 3Please download ComboFix from Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close all open browsers.Close / disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.[*]Double click on combofix.exe & follow the prompts.[*]When finished, it will produce a report for you.[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**STEP 4Download Deckard's System Scanner (DSS) to your Desktop.Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your replyWhat DSS will do:create a new System Restore point in Windows XP and Vista.clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.Notes: The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to Start=>Run and copy the following "%userprofile%\desktop\dss.exe" /config in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.STEP 5Then post back the above logs.. Link to post Share on other sites More sharing options...
Johnny Sarcastic Posted June 25, 2008 Author ID:21072 Share Posted June 25, 2008 AdvancedSetup,Thank you so very much for your time. I followed your instructions step-by-step; here is the information you requested.Jotti's Malware Scan:ComboFix's Log:ComboFix 08-06-20.4 - Administrator 2008-06-24 22:36:12.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1532 [GMT -4:00]Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\assys.dllC:\WINDOWS\BM3762d609.xmlC:\WINDOWS\ffnsys.dllC:\WINDOWS\gstcore.dllC:\WINDOWS\pskt.iniC:\WINDOWS\rsczsys.dllC:\WINDOWS\snsys.dllC:\WINDOWS\system32\ughygxnc.iniC:\WINDOWS\uawin.dll.((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 ))))))))))))))))))))))))))))))).2008-06-24 16:57 . 2008-06-24 16:58 <DIR> d-------- C:\Program Files\Panda Security2008-06-24 14:12 . 2008-06-24 14:12 <DIR> d-------- C:\VundoFix Backups2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Program Files\Avira2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg82008-06-24 04:20 . 2008-06-24 04:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-06-24 04:20 . 2008-06-24 04:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-24 04:20 . 2008-06-24 04:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-06-24 04:20 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-06-24 04:20 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys2008-06-24 03:03 . 2008-06-24 03:29 1,034 --a------ C:\WINDOWS\system32\tmp.reg2008-06-24 02:51 . 2008-06-24 02:51 <DIR> d-------- C:\Program Files\Lavasoft2008-06-24 00:31 . 2008-06-24 00:31 <DIR> d-------- C:\Program Files\AVG2008-06-23 23:30 . 2008-06-23 23:30 <DIR> d-------- C:\WINDOWS\McAfee.com2008-06-23 08:49 . 2008-06-23 08:49 99,328 --a------ C:\WINDOWS\system32\mnxpgehe.dll2008-06-13 02:06 . 2008-06-13 02:06 <DIR> d-------- C:\Program Files\QuickTime2008-06-11 12:51 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys2008-06-11 12:51 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys2008-06-01 00:06 . 2008-06-01 00:06 <DIR> d-------- C:\WINDOWS\system32\Adobe2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-24 22:03 --------- d-----w C:\Program Files\Mozilla Thunderbird2008-06-24 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira2008-06-24 08:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U32008-06-24 06:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard2008-06-24 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft2008-06-23 19:36 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\inst.exe2008-06-23 19:36 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys2008-06-23 19:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso2008-06-23 00:50 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys2008-06-23 00:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent2008-06-18 17:37 --------- d-----w C:\Program Files\OpenOffice.org 2.42008-06-18 07:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org22008-06-09 04:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Image Zone Express2008-05-17 06:52 --------- d-----w C:\Program Files\Max File Shredder2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys2008-05-06 17:55 --------- d-----w C:\Program Files\DVDlabPro22008-05-02 05:21 --------- d-----w C:\Program Files\Trend Micro2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys2008-04-25 21:45 --------- d-----w C:\Program Files\Free FLV Converter2008-01-17 23:34 25,128 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT2007-11-01 00:01 87,608 ----a-w C:\Documents and Settings\Johnny Sarcastic\Application Data\inst.exe2007-11-01 00:01 47,360 ----a-w C:\Documents and Settings\Johnny Sarcastic\Application Data\pcouffin.sys2007-10-26 20:07 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat2007-10-26 20:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat2007-10-26 20:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007102620071027\index.dat2007-10-26 20:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 06:15 7311360]"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]"Tweak UI"="TWEAKUI.CPL,TweakMeUp" []"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 21:56 15360]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"= ctwdm32.dll"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe"=.Contents of the 'Scheduled Tasks' folder"2008-05-29 17:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-24 22:38:30Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\HP\Digital Imaging\bin\hpqste08.exeC:\Program Files\Windows Media Player\wmpnetwk.exe.**************************************************************************.Completion time: 2008-06-24 22:44:12 - machine was rebootedComboFix-quarantined-files.txt 2008-06-25 02:44:03Pre-Run: 58,613,297,152 bytes freePost-Run: 58,686,844,928 bytes free152 --- E O F --- 2008-06-21 07:00:45Deckard's System Scanner Log - Main:Deckard's System Scanner v20071014.68Run by Administrator on 2008-06-25 00:23:05Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --9: 2008-06-25 04:23:07 UTC - RP9 - Deckard's System Scanner Restore Point8: 2008-06-25 02:36:03 UTC - RP8 - ComboFix created restore point7: 2008-06-24 17:42:14 UTC - RP7 - Avira AntiVir Personal - 24/06/2008 13:426: 2008-06-24 17:39:15 UTC - RP6 - AntiVir PersonalEdition Classic - 24/06/2008 13:395: 2008-06-24 17:29:27 UTC - RP5 - AntiVir PersonalEdition Classic - 24/06/2008 13:29-- First Restore Point -- 1: 2008-06-24 07:19:56 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Administrator.exe) ---------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 00:23:45, on 25/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20815)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Logitech\iTouch\iTouch.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Administrator\Desktop\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...323/mcfscan.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Avira AntiVir Personal ComboFix.txtmain.txtextra.txtComboFix.txtmain.txtextra.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 25, 2008 Root Admin ID:21080 Share Posted June 25, 2008 Please go into your Control Panel, Add/Remove and remove ALL versions of JavaJava Link to post Share on other sites More sharing options...
Johnny Sarcastic Posted June 25, 2008 Author ID:21106 Share Posted June 25, 2008 Malwarebytes' Anti-Malware 1.18Database version: 8912:44:31 PM 25/06/2008mbam-log-6-25-2008 (14-44-31).txtScan type: Quick ScanObjects scanned: 40648Time elapsed: 2 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)-------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:45:24, on 25/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20815)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Logitech\iTouch\iTouch.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...323/mcfscan.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 25, 2008 Root Admin ID:21108 Share Posted June 25, 2008 Okay, how is the system running now? I no longer see any indication of Malware in the log.Please click on START - RUN and type in REGEDIT then click OKOn the left side, browse down the tree until you get to this location. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS JuanIf you can not find this key let me know. If you do find this key let me know if there is other data in the right side and what it says.Also, please update MB once again and run another Quick Scan and post that log. Link to post Share on other sites More sharing options...
Johnny Sarcastic Posted June 25, 2008 Author ID:21112 Share Posted June 25, 2008 Everything seems great! That key is nowhere to be found in RegEdit. That's fantastic, I appreciate your help. What could've caused this? I'm always very careful about what I download and about links I follow. Is AntiVir a decent antivirus program, or should I be using something else (in your opinion)?Malwarebytes' Anti-Malware 1.18Database version: 8913:50:51 PM 25/06/2008mbam-log-6-25-2008 (15-50-51).txtScan type: Quick ScanObjects scanned: 40666Time elapsed: 1 minute(s), 13 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 25, 2008 Root Admin ID:21117 Share Posted June 25, 2008 AntiVir is considered a great product by many in this area of security. There is no single product out that can catch or clean everything. Many new variants come out every day.Please Download OTMoveIt2 by Old Timer and save it to your Desktop.Double-click OTMoveIt2.exe to run it.While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.It should ask if you want to clean up, select Yes and allow the system to clean up these items.DO NOT allow it to reboot your system when asked. Copy everything in the Results window (under the green bar), and paste it in your next reply.Close OTMoveIt2NOW please reboot your computer to finish the cleanup process and post back the details you copied from OTMoveIt2. Link to post Share on other sites More sharing options...
Johnny Sarcastic Posted June 26, 2008 Author ID:21161 Share Posted June 26, 2008 Excellent, thanks for your advice and further help. Here's O2MoveIt:File/Folder avenger.zip not found.File/Folder avenger.exe not found.File/Folder Avenger not found.File/Folder avenger.txt not found.File/Folder bfu.zip not found.File/Folder BFU not found.C:\WINDOWS\erdnt\subs folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users\00000006 folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users\00000005 folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users\00000004 folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users\00000003 folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users\00000002 folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users\00000001 folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup\Users folder deleted successfully.C:\WINDOWS\erdnt\Hiv-backup folder deleted successfully.C:\WINDOWS\erdnt\dss folder deleted successfully.C:\WINDOWS\erdnt folder deleted successfully.C:\QooBox\Quarantine\Registry_backups folder deleted successfully.C:\QooBox\Quarantine\C\WINDOWS\system32 folder deleted successfully.C:\QooBox\Quarantine\C\WINDOWS folder deleted successfully.C:\QooBox\Quarantine\C\Documents and Settings\Johnny Sarcastic\Application Data folder deleted successfully.C:\QooBox\Quarantine\C\Documents and Settings\Johnny Sarcastic folder deleted successfully.C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Application Data folder deleted successfully.C:\QooBox\Quarantine\C\Documents and Settings\Administrator folder deleted successfully.C:\QooBox\Quarantine\C\Documents and Settings folder deleted successfully.C:\QooBox\Quarantine\C folder deleted successfully.C:\QooBox\Quarantine folder deleted successfully.C:\QooBox\BackEnv folder deleted successfully.C:\QooBox folder deleted successfully.Service not present: catchme.C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files folder deleted successfully.C:\Deckard\System Scanner\backup\WINDOWS folder deleted successfully.C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WPDNSE folder deleted successfully.C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp folder deleted successfully.C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1 folder deleted successfully.C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1 folder deleted successfully.C:\Deckard\System Scanner\backup\DOCUME~1 folder deleted successfully.C:\Deckard\System Scanner\backup folder deleted successfully.C:\Deckard\System Scanner folder deleted successfully.C:\Deckard folder deleted successfully.Service not present: gmer.File delete failed. C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.File delete failed. C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.C:\VundoFix Backups folder deleted successfully.File delete failed. C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 26, 2008 Root Admin ID:21163 Share Posted June 26, 2008 At this time your system appears to be clean. Here are some simple steps to follow in order to keep your computer clean and secure going forward.Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Spybot Search and Destroy 1.5.2Download it from here. Just choose a mirror and off you go.Find here the tutorial on how to use Spybot properly hereInstall SpyWare Blaster 4.1Download it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall MVPS Hosts File from hereThe MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.You can find a tutorial here : http://www.mvps.org/winhelp2002/hosts.htmUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareSince this issue is resolved I will close the thread in a day or two to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 26, 2008 Root Admin ID:21164 Share Posted June 26, 2008 I noticed in your logs that WMI does not appear to be working. If you like we can attempt to repair it if you post a new topic in the PC Help forum.Windows Management Instrumentation - Wikipedia. Link to post Share on other sites More sharing options...
Recommended Posts