Jump to content

MS Juan Help, Please


Recommended Posts

This all started with various popups and an overall slowdown of my PC. Through various means, I appear to have eliminated everything except this pesky MS Juan that keeps re-appearing, and was hoping that perhaps someone here could give me some help. I have the required logfiles here:

Malwarebytes' Anti-Malware 1.18

Database version: 887

4:45:18 PM 24/06/2008

mbam-log-6-24-2008 (16-45-18).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 107604

Time elapsed: 1 hour(s), 18 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------------------------------------------------

Panda:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-06-24 17:42:46

PROTECTIONS: 0

MALWARE: 3

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt

00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP2\A0001111.exe

00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP1\A0000014.exe

02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP2\A0001112.exe

02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{25D23051-262D-405C-BB02-CD5A838C93A8}\RP1\A0000015.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location o

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description o

;===============================================================================

================================================================================

=

===================

150243 HIGH MS07-008 o

126087 HIGH MS06-046 o

120823 MEDIUM MS06-030 o

93454 MEDIUM MS05-049 o

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:48:45, on 24/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20815)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: {1ba91dab-10ed-65ca-9a54-66e272eff89e} - {e98ffe27-2e66-45a9-ac56-de01bad19ab1} - C:\WINDOWS\system32\mnxpgehe.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...323/mcfscan.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal

mbam_log_6_24_2008__16_45_18_.txt

ActiveScan.txt

mbam_log_6_24_2008__16_45_18_.txt

ActiveScan.txt

Link to post
Share on other sites

  • Root Admin

STEP 1

Please upload the following file to this location and post back the results.
C:\WINDOWS\system32\mnxpgehe.dll

Upload for scanning to:
virusscan.jotti.org

STEP 2

Start Hijackthis and do a
Scan Only

Then place a check mark on the following entries
  • O2 - BHO: {1ba91dab-10ed-65ca-9a54-66e272eff89e} - {e98ffe27-2e66-45a9-ac56-de01bad19ab1} - C:\WINDOWS\system32\mnxpgehe.dll

  • O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

  • O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

  • O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

  • O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

    Then click on
    Fix selected

STEP 3

Please download ComboFix from
Here
to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download.

It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close all open browsers.

  3. Close / disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important!
      Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on
      this link
      to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    • WARNING:
      Combofix will disconnect your machine from the Internet as soon as it starts

    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

STEP 4

Download
Deckard's System Scanner (DSS)
to your
Desktop
.

Note: You must be logged onto an account with administrator privileges.

  1. Close
    all applications and windows.
  2. Double-click
    on
    dss.exe
    to run it, and follow the prompts.

  3. When the scan is complete, two text files will open -
    main.txt
    <- this one will be maximized
    and
    extra.txt
    <-this one will be minimized

  4. Copy
    (Ctrl+A then Ctrl+C)
    and paste
    (Ctrl+V)
    the contents of
    main.txt
    and the extra.txt to your post in your reply

What DSS will do:

  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.

  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Notes:

The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to
Start
=>
Run
and copy the following
"%userprofile%\desktop\dss.exe" /config
in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.

STEP 5

Then post back the above logs.

.

Link to post
Share on other sites

AdvancedSetup,

Thank you so very much for your time. I followed your instructions step-by-step; here is the information you requested.

Jotti's Malware Scan:

Jotti.jpg

ComboFix's Log:

ComboFix 08-06-20.4 - Administrator 2008-06-24 22:36:12.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1532 [GMT -4:00]

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\assys.dll

C:\WINDOWS\BM3762d609.xml

C:\WINDOWS\ffnsys.dll

C:\WINDOWS\gstcore.dll

C:\WINDOWS\pskt.ini

C:\WINDOWS\rsczsys.dll

C:\WINDOWS\snsys.dll

C:\WINDOWS\system32\ughygxnc.ini

C:\WINDOWS\uawin.dll

.

((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))

.

2008-06-24 16:57 . 2008-06-24 16:58 <DIR> d-------- C:\Program Files\Panda Security

2008-06-24 14:12 . 2008-06-24 14:12 <DIR> d-------- C:\VundoFix Backups

2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Program Files\Avira

2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-06-24 04:20 . 2008-06-24 04:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-24 04:20 . 2008-06-24 04:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-24 04:20 . 2008-06-24 04:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-06-24 04:20 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-24 04:20 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-06-24 03:03 . 2008-06-24 03:29 1,034 --a------ C:\WINDOWS\system32\tmp.reg

2008-06-24 02:51 . 2008-06-24 02:51 <DIR> d-------- C:\Program Files\Lavasoft

2008-06-24 00:31 . 2008-06-24 00:31 <DIR> d-------- C:\Program Files\AVG

2008-06-23 23:30 . 2008-06-23 23:30 <DIR> d-------- C:\WINDOWS\McAfee.com

2008-06-23 08:49 . 2008-06-23 08:49 99,328 --a------ C:\WINDOWS\system32\mnxpgehe.dll

2008-06-13 02:06 . 2008-06-13 02:06 <DIR> d-------- C:\Program Files\QuickTime

2008-06-11 12:51 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 12:51 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-01 00:06 . 2008-06-01 00:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-24 22:03 --------- d-----w C:\Program Files\Mozilla Thunderbird

2008-06-24 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira

2008-06-24 08:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3

2008-06-24 06:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-06-24 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-06-23 19:36 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\inst.exe

2008-06-23 19:36 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys

2008-06-23 19:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso

2008-06-23 00:50 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys

2008-06-23 00:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent

2008-06-18 17:37 --------- d-----w C:\Program Files\OpenOffice.org 2.4

2008-06-18 07:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2

2008-06-09 04:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Image Zone Express

2008-05-17 06:52 --------- d-----w C:\Program Files\Max File Shredder

2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-06 17:55 --------- d-----w C:\Program Files\DVDlabPro2

2008-05-02 05:21 --------- d-----w C:\Program Files\Trend Micro

2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-25 21:45 --------- d-----w C:\Program Files\Free FLV Converter

2008-01-17 23:34 25,128 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT

2007-11-01 00:01 87,608 ----a-w C:\Documents and Settings\Johnny Sarcastic\Application Data\inst.exe

2007-11-01 00:01 47,360 ----a-w C:\Documents and Settings\Johnny Sarcastic\Application Data\pcouffin.sys

2007-10-26 20:07 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

2007-10-26 20:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2007-10-26 20:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007102620071027\index.dat

2007-10-26 20:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 06:15 7311360]

"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

"Tweak UI"="TWEAKUI.CPL,TweakMeUp" []

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 21:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= ctwdm32.dll

"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax

"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

.

Contents of the 'Scheduled Tasks' folder

"2008-05-29 17:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-24 22:38:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2008-06-24 22:44:12 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-25 02:44:03

Pre-Run: 58,613,297,152 bytes free

Post-Run: 58,686,844,928 bytes free

152 --- E O F --- 2008-06-21 07:00:45

Deckard's System Scanner Log - Main:

Deckard's System Scanner v20071014.68

Run by Administrator on 2008-06-25 00:23:05

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

9: 2008-06-25 04:23:07 UTC - RP9 - Deckard's System Scanner Restore Point

8: 2008-06-25 02:36:03 UTC - RP8 - ComboFix created restore point

7: 2008-06-24 17:42:14 UTC - RP7 - Avira AntiVir Personal - 24/06/2008 13:42

6: 2008-06-24 17:39:15 UTC - RP6 - AntiVir PersonalEdition Classic - 24/06/2008 13:39

5: 2008-06-24 17:29:27 UTC - RP5 - AntiVir PersonalEdition Classic - 24/06/2008 13:29

-- First Restore Point --

1: 2008-06-24 07:19:56 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:23:45, on 25/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20815)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator\Desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...323/mcfscan.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal

ComboFix.txt

main.txt

extra.txt

ComboFix.txt

main.txt

extra.txt

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.18

Database version: 891

2:44:31 PM 25/06/2008

mbam-log-6-25-2008 (14-44-31).txt

Scan type: Quick Scan

Objects scanned: 40648

Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:45:24, on 25/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20815)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...323/mcfscan.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

  • Root Admin

Okay, how is the system running now? I no longer see any indication of Malware in the log.

Please click on START - RUN and type in REGEDIT then click OK

On the left side, browse down the tree until you get to this location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan

If you can not find this key let me know. If you do find this key let me know if there is other data in the right side and what it says.

Also, please update MB once again and run another Quick Scan and post that log.

Link to post
Share on other sites

Everything seems great! That key is nowhere to be found in RegEdit. That's fantastic, I appreciate your help. What could've caused this? I'm always very careful about what I download and about links I follow. Is AntiVir a decent antivirus program, or should I be using something else (in your opinion)?

Malwarebytes' Anti-Malware 1.18

Database version: 891

3:50:51 PM 25/06/2008

mbam-log-6-25-2008 (15-50-51).txt

Scan type: Quick Scan

Objects scanned: 40666

Time elapsed: 1 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

AntiVir is considered a great product by many in this area of security. There is no single product out that can catch or clean everything. Many new variants come out every day.

Please
Download
OTMoveIt2
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt2.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

  • DO NOT
    allow it to reboot your system when asked.

  • Copy everything
    in the Results window (under the
    green
    bar), and paste it in your next reply.

  • Close
    OTMoveIt2

NOW

please reboot your computer to finish the cleanup process and post back the details you copied from OTMoveIt2

.

Link to post
Share on other sites

Excellent, thanks for your advice and further help. Here's O2MoveIt:

File/Folder avenger.zip not found.

File/Folder avenger.exe not found.

File/Folder Avenger not found.

File/Folder avenger.txt not found.

File/Folder bfu.zip not found.

File/Folder BFU not found.

C:\WINDOWS\erdnt\subs folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users\00000006 folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users\00000005 folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users\00000004 folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users\00000003 folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users\00000002 folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users\00000001 folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup\Users folder deleted successfully.

C:\WINDOWS\erdnt\Hiv-backup folder deleted successfully.

C:\WINDOWS\erdnt\dss folder deleted successfully.

C:\WINDOWS\erdnt folder deleted successfully.

C:\QooBox\Quarantine\Registry_backups folder deleted successfully.

C:\QooBox\Quarantine\C\WINDOWS\system32 folder deleted successfully.

C:\QooBox\Quarantine\C\WINDOWS folder deleted successfully.

C:\QooBox\Quarantine\C\Documents and Settings\Johnny Sarcastic\Application Data folder deleted successfully.

C:\QooBox\Quarantine\C\Documents and Settings\Johnny Sarcastic folder deleted successfully.

C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Application Data folder deleted successfully.

C:\QooBox\Quarantine\C\Documents and Settings\Administrator folder deleted successfully.

C:\QooBox\Quarantine\C\Documents and Settings folder deleted successfully.

C:\QooBox\Quarantine\C folder deleted successfully.

C:\QooBox\Quarantine folder deleted successfully.

C:\QooBox\BackEnv folder deleted successfully.

C:\QooBox folder deleted successfully.

Service not present: catchme.

C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files folder deleted successfully.

C:\Deckard\System Scanner\backup\WINDOWS folder deleted successfully.

C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WPDNSE folder deleted successfully.

C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp folder deleted successfully.

C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1 folder deleted successfully.

C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1 folder deleted successfully.

C:\Deckard\System Scanner\backup\DOCUME~1 folder deleted successfully.

C:\Deckard\System Scanner\backup folder deleted successfully.

C:\Deckard\System Scanner folder deleted successfully.

C:\Deckard folder deleted successfully.

Service not present: gmer.

File delete failed. C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.

C:\VundoFix Backups folder deleted successfully.

File delete failed. C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.

Link to post
Share on other sites

  • Root Admin

At this time your system appears to be clean.

Here are some simple steps to follow in order to keep your computer clean and secure going forward.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.5.2

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster 4.1

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install MVPS Hosts File

from here

The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

You can find a tutorial here :
http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Since this issue is resolved I will close the thread in a day or two to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.