[RatHat]

Well that didn't find anything!

Hows your computer running now?

Regards,
RatHat

[Advertisements]

Well... i havent seen the a.doginhispen.com or the b.skitodayplease.com in m history today, but i know just my browsing thru my computer that there are still some bak files. so i have a couple questions for you:
1. is it normal that kaspersky skipped so many files saying that they were blocked?
2. can i go ahead and try to restore some bak files myself?
3. there are a couple of programs that are not working properly mainly the empowering technology and AVG, is there anything we can do?
4. What's your opinion as a tech doc, what have you seen in those logs? is it still there?

In the meantime im going to run Panda online scan, cuz it was able to find them the first time. Again appreciate your help!!!

[Robleh]

Well... i havent seen the a.doginhispen.com or the b.skitodayplease.com in m history today, but i know just my browsing thru my computer that there are still some bak files. so i have a couple questions for you:
1. is it normal that kaspersky skipped so many files saying that they were blocked?
2. can i go ahead and try to restore some bak files myself?
3. there are a couple of programs that are not working properly mainly the empowering technology and AVG, is there anything we can do?
4. What's your opinion as a tech doc, what have you seen in those logs? is it still there?

In the meantime im going to run Panda online scan, cuz it was able to find them the first time. Again appreciate your help!!!

[RatHat]

1. is it normal that kaspersky skipped so many files saying that they were blocked?

Yes, that is normal, and none of them looked bad.

2. can i go ahead and try to restore some bak files myself?

A lot of programs make backups, that is normal. The ones you have left have very old date stamps, so should be OK, as they would have been made prior to your infection. You can restore them if you want to.

3. there are a couple of programs that are not working properly mainly the empowering technology and AVG, is there anything we can do?

Uninstall these programs, then re-install them. Some of the drivers may have been damaged by the malware, or deleted. After uninstalling, delete the bak folders if they are still there.

4. What's your opinion as a tech doc, what have you seen in those logs? is it still there?

I think you are close to being clear, if not already clean. Do the above, and post me the results of the Panda scan whan it is complete so I can see if there is anything else.

Also post me a fresh HijackThis log.

Regards,
RatHat

[Robleh]

Hello again, i am no tech expert but i don't think panda found anything theatening here's scan results:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Robleh\Desktop\Combo-Fix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Robleh\Desktop\Combo-Fix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@mediaplex[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@doubleclick[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@apmebf[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@com[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@tribalfusion[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@fastclick[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@adtech[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Robleh\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robleh\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@advertising[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@zedo[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Robleh\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\FOUND.004\FILE0001.CHK
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix[1]\NIRCMD.COM
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix[1]\nircmd.cfexe

and also here's the hijackthis log, i'll be waiting fo you orders commander!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:39 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay13...es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10314 bytes

[RatHat]

Well you log is clean, but to make doubly sure, lets run an F-Secure online scan for Viruses, Spyware and RootKits:

• Go to http://support.f-sec.../home/ols.shtml
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
• Click Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take a while, so please be patient

Regards,
RatHat

[Robleh]

Hello RatHat, sorry i couldnt post earlier, i was busy all day today, here's the report from F-secure. I don't know about this one, has it really found 4 viruses? awaiting your orders commander!!

Scanning Report
Friday, February 08, 2008 00:16:46 - 01:37:42
Computer name: ACER-684C9A655D
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 21 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan.Win32.KillAV.oh (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP176\A0069161.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP176\A0069162.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP176\A0069193.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP176\A0069237.EXE (Renamed)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 37307
System: 4399
Not scanned: 4
Actions:
Disinfected: 2
Renamed: 4
Deleted: 0
None: 15
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\HIBERFIL.SYS
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2008-02-07
F-Secure AVP: 7.0.171, 2008-02-08
F-Secure Orion: 1.2.37, 2008-02-07
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2008-01-06
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

[RatHat]

Your log is clean!

Thos reports were in the System Restore, which we will clean in a minute. Firstly though, lets clean out your temp files:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets uninstall Combofix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

• Delete ComboFix and its associated files and folders.
• Delete VundoFix backups, if present
• Delete the C:\Deckard folder, if present
• Delete the C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Now for some prevetative measures! It is essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

• Click Start.
• Select Settings and then Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 4). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.

• Click Start, Control Panel, Add/Remove Programs.
• Delete all Java updates except Java ™ 6 Update 4

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
• AdAware another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

• Trillian or,
• Miranda-IM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat

[Robleh]

Ok commander i'll get to work on these new instructions right away, first 2 lil questions:
1. Is ATF the program that's gonna clean my system restore?
2. between the 5 anti-spyware programs that u mentioned which 2 or possibly 3 do u think are the best? cuz i have norton 360 already installed on my compuuter and 5 more would just kill it lol!! do u think AVG is necessary?

and yes please let the topic open for a lilttle longer, i still have a couple questions for you boss. Again thx for the great help!!!

[RatHat]

1. Is ATF the program that's gonna clean my system restore?

Nope, Combofix /u is going to do that.

2. between the 5 anti-spyware programs that u mentioned which 2 or possibly 3 do u think are the best?

You can use all of them, only one is memory resident; SpywareGuard. Just don't enable TeaTimer when installing Spybot S&D.

With Spybot, use the Immunize section ever couple of weeks. Have SpywareBlaster enable protection and also update it regularly. Both of these add block to malware in your registry so you cannot get certain infections. IESpyAd does something similar by blocking known bad sites.

Regards,
RatHat

[Robleh]

Ok RatHat im going to now fire the last serie of questions at you:

1. what do i do with the remaining tools that we used such as FindAWF.exe, DrWeb, and ATF?
2. I paid to subscribe for 1 year of Norton 360, but only now i have realised that its useless, should i uninstall it after my subscription is over or should i keep it?
3. Can i get rid of all the report logs that i saved on my desktop, i mean all the ones from Hijackthis, Combix, AWF?
4. there's still a folder which is about 4mb and entitled Combofix, i dont have anything against it, but is it normal that it stayed?

I thank you for all your help.

[RatHat]

1. what do i do with the remaining tools that we used such as FindAWF.exe, DrWeb, and ATF?

Delete everything except ATF. Use ATF at least once a week to clean out your temp folders.

2. I paid to subscribe for 1 year of Norton 360, but only now i have realised that its useless, should i uninstall it after my subscription is over or should i keep it?

When your subscription is over, uninstall Norton after downloading the Norton Removal tool from here

You can replace it by installing one of these very good free AV's:
Anti Virus Programs

• AVG AntiVirus version 7.5 is free for personal use.
• avast! 4 Home Edition another very good free AV.
• Avira AntiVir PersonalEdition, yet another good free AV.

And also one of these free Firewalls:
Personal Firewalls

• Online Armor (Free edition) personal firewall
• Comodo is a free fully functional firewall

3. Can i get rid of all the report logs that i saved on my desktop, i mean all the ones from Hijackthis, Combix, AWF?

Yes go ahead and delet all of them.

4. there's still a folder which is about 4mb and entitled Combofix, i dont have anything against it, but is it normal that it stayed?

Yes, go ahead and delete that too.

Regards,
RatHat

[Robleh]

Well RatHat its been 3 days, and I havent seen any suspicious websites appearing in my history, there's nothing left but to thank you very much for your very effective help. If you have any last advice or steps you can give me, i'll take them, otherwise you can close this topic. So thx for everything!!

[RatHat]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[RatHat]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.