Jump to content

Is my system clean now?


Recommended Posts

I found a lot of malware on my system a month ago, so I reformatted and reloaded. I think I did everything properly, but there are a couple of HJT items now I don't recognize, and I'm concerned I may have been reinfected by a USB drive, or possibly through the internet again. Can you tell me if my logs are clean? I am having problems running GMER - it keeps crashing before it finishes even if I've disabled all the anti-spyware/virus programs. I haven't been able to successfully manually stop it and save the log either. Thanks!

*** MBAM Log ***

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4156

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/30/2010 6:59:34 PM

mbam-log-2010-05-30 (18-59-34).txt

Scan type: Quick scan

Objects scanned: 115896

Time elapsed: 15 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*** DDS Log ***

DDS (Ver_10-03-17.01) - NTFSx86

Run by Mike at 21:19:29.34 on Sun 05/30/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.57 [GMT 3:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe

C:\Documents and Settings\Mike\Desktop\dds.scr

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - c:\program files\lavasoft\download guard for internet explorer\DownloadGuardBHO.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Google Update] "c:\documents and settings\mike\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

StartupFolder: c:\docume~1\mike\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe

uPolicies-explorer: EditLevel = 0 (0x0)

uPolicies-explorer: NoCommonGroups = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: google.com\www

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272657403473

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272703201359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\xd4jwdcx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.chron.com/news/

FF - plugin: c:\documents and settings\mike\application data\mozilla\firefox\profiles\xd4jwdcx.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\mike\application data\mozilla\firefox\profiles\xd4jwdcx.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll

FF - plugin: c:\documents and settings\mike\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\mike\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-1 64288]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-1 164048]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-5-1 228216]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-5-1 24440]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-5-1 29560]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-1 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-1 40384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-5-1 1284600]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-1 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-1 40384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-1 135664]

S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-5-1 3364856]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2010-5-2 17149]

=============== Created Last 30 ================

2010-05-30 17:53:53 0 ----a-w- c:\documents and settings\mike\defogger_reenable

2010-05-15 18:50:09 0 d-----w- c:\program files\Trend Micro

2010-05-13 20:46:13 0 d-----w- c:\program files\PokerStars

2010-05-13 20:09:03 0 d-----w- c:\program files\PokerStars.NET

2010-05-05 14:51:39 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2010-05-05 14:51:39 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2010-05-05 14:51:32 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

2010-05-04 18:57:25 0 d-----w- c:\docume~1\mike\applic~1\Logishrd

2010-05-04 16:45:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2010-05-03 17:55:31 0 d-----w- c:\program files\Firaxis Games

2010-05-02 15:25:30 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys

2010-05-02 15:25:07 94208 ----a-w- c:\windows\system32\DNIN50.dll

2010-05-02 15:25:07 651264 ----a-w- c:\windows\system32\libeay32.dll

2010-05-02 15:25:07 17149 ----a-w- c:\windows\system32\DNINDIS5.sys

2010-05-02 15:25:07 147456 ----a-w- c:\windows\system32\ssleay32.dll

2010-05-02 15:25:04 362944 ----a-w- c:\windows\system32\drivers\WG11TND5.sys

2010-05-02 15:25:04 149392 ----a-w- c:\windows\system32\drivers\ar5523.bin

2010-05-02 15:25:04 0 d-----w- c:\program files\NETGEAR

2010-05-01 18:18:01 0 d-----w- c:\docume~1\mike\applic~1\InterVoip

2010-05-01 18:09:05 0 d-----w- c:\program files\InterVoip.com

2010-05-01 18:08:05 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-05-01 18:08:05 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-05-01 18:07:40 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-05-01 18:07:40 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-05-01 17:55:14 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-05-01 17:55:13 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-01 13:15:52 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-05-01 13:15:52 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2010-05-01 13:15:02 0 d-----w- c:\program files\iPod

2010-05-01 13:14:52 0 d-----w- c:\program files\iTunes

2010-05-01 13:14:52 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-05-01 13:13:11 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-05-01 13:13:11 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-05-01 13:12:04 0 d-----w- c:\program files\Bonjour

2010-05-01 11:18:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-05-01 10:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-01 10:55:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-05-01 10:44:11 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CCE9E666-4D7C-4946-A98B-CFDE0A0C1706}

2010-05-01 10:43:56 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-01 10:43:35 0 d-----w- c:\program files\Lavasoft

2010-05-01 10:38:19 0 d-----w- c:\program files\SpywareBlaster

2010-05-01 10:30:59 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-01 10:30:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-01 10:23:07 0 d-----w- c:\docume~1\mike\applic~1\Malwarebytes

2010-05-01 10:22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-01 10:22:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-01 10:22:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-01 10:22:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-01 10:11:05 0 d-----w- c:\docume~1\mike\applic~1\OnlineArmor

2010-05-01 10:11:05 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor

2010-05-01 10:10:40 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-05-01 10:10:40 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-05-01 10:10:40 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-05-01 10:10:39 0 d-----w- c:\program files\Tall Emu

2010-05-01 09:09:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-05-01 09:09:05 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-01 07:38:01 30568 ----a-w- c:\windows\system32\mdimon.dll

2010-05-01 07:33:18 0 d-----w- c:\windows\SHELLNEW

2010-04-30 23:14:50 0 d-sh--w- c:\documents and settings\mike\IECompatCache

2010-04-30 22:23:10 0 d-----w- c:\program files\Windows Media Connect 2

2010-04-30 22:08:00 0 d-----w- c:\program files\common files\ODBC

2010-04-30 22:07:57 0 d-----w- c:\program files\common files\SpeechEngines

2010-04-30 22:07:30 0 d-----r- c:\documents and settings\all users\Documents

2010-04-30 19:25:36 0 d-sh--w- c:\documents and settings\all users\DRM

2010-04-30 19:24:16 0 d-----w- c:\program files\common files\MSSoap

2010-04-30 19:23:02 0 d--h--w- c:\program files\WindowsUpdate

2010-04-30 19:23:02 0 d-----w- c:\program files\Online Services

2010-04-30 19:22:56 0 d-----w- c:\program files\Messenger

2010-04-30 19:22:52 0 d-----w- c:\program files\MSN Gaming Zone

2010-04-30 19:22:19 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-04-30 19:23:49 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-04-08 10:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 10:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 21:22:15.29 ===============

Attach.zip

Link to post
Share on other sites

Hello FiveAces.

The DDS log does not show anything untoward. And the MBAM scan result is fine.

Do the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Take out the trash (temporary files & temporary internet files)

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 4

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

Step 5

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

Step 6

RE-Enable your AntiVirus and AntiSpyware applications.

De-install HijackThis version 2.02 (using Control Panel's Add-or-Remove Programs)

Get the latest version:

Download and SAVE HijackThis

Save the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.

Do a "Scan and Save log".

Step 7

Reply with copy of contents of Eset scan log

and the HijackThis log

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

Thanks! I'll get right on this. Question though - I've previously disabled AutoRun (I think) by following the instructions on the MS website. I changed a registry value to do this. Should I still disable it using the TweakUI or skip that step?

Link to post
Share on other sites

Ok I've followed all the instructions and run the scans. Here are the two logs you requested. ESET didn't find anything.

ESET Log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=8a2aeb4230e84341a689845d7e7153c9

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-06-06 08:20:34

# local_time=2010-06-06 11:20:34 (+0300, Arab Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 1902028 1902028 0 0

# compatibility_mode=768 16777191 100 0 3138703 3138703 0 0

# compatibility_mode=6401 16777213 66 100 2642 3288509 0 0

# compatibility_mode=8192 67108863 100 0 547 547 0 0

# scanned=73373

# found=0

# cleaned=0

# scan_time=4195

HJT Log

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:20:00 PM, on 6/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Mike\My Documents\Setup Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DownloadGuardBHO - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1272657403473

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1272703201359

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--

End of file - 7896 bytes

Link to post
Share on other sites

You are good to go after the following.

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader.

De-install also ESET Online

HijackThis

Exit Control Panel.

Older versions of Adobe Reader pose a potential security risk.

Get latest Adobe Reader version 9.3

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan

The following few steps will remove tools we used; followed by advice on staying safer.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

We are finished here. Best regards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.