Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Virtumonde [RESOLVED]


  • This topic is locked This topic is locked

#1
Phugga

Phugga

    Member

  • Member
  • PipPip
  • 19 posts
Hello everyone! For some reason or other, after I downloaded a file, (which seemed clean), my anti-virus detected a trojan virtumonde and terminated the application. I thought this was the end of it, but it seems it has caused many more problems.

My start up moniter is showing that a program named BMd3d35e05, is trying to register the exacutable Rundll32.exe "C:\WINDOWS\system32\mjyavhuq.dll" to run at startup. It asks me whether I would allow this change, so being suspicious of the file names, i clicked "no", and got another pop up, of the same kind, from a different dll file, and a different program.

My spyware guard is also telling me that a BHO (Browser Help Object) has been added to my system. The File Location is: C:\WINDOWS\system32\opnnnLfE.dll

I tell it to remove the dll, and it is done successfully, but another message pops up right after that one. This time for mlJArqqO.dll

Here is my HijackThis log, I took a go at analyzing it, and it seems I need to remove the line in 04 that has the program, but I would like to ask for help to make sure.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:30 AM, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMd3d35e05] Rundll32.exe "C:\WINDOWS\system32\mjyavhuq.dll",s
O4 - HKLM\..\Run: [d0e06d99] rundll32.exe "C:\WINDOWS\system32\pecoyyui.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1199270203968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6990 bytes
  • 0

Advertisements


#2
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello and welcome back to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Phugga

Phugga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the ComboFix log:

ComboFix 08-04-26.5 - Harry 2008-04-28 11:53:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.142 [GMT 10:00]
Running from: C:\Documents and Settings\Harry\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dllcache\spoolsv.exe
C:\WINDOWS\system32\iuyyocep.ini
C:\WINDOWS\system32\mjyavhuq.dll
C:\WINDOWS\system32\mlJArqqO.dll
C:\WINDOWS\system32\opnnnLfE.dll
C:\WINDOWS\system32\OqqrAJlm.ini
C:\WINDOWS\system32\OqqrAJlm.ini2
C:\WINDOWS\system32\pecoyyui.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 08:30 . 2008-04-28 08:30 109,738 --a------ C:\WINDOWS\BMd3d35e05.xml
2008-04-28 08:17 . 2008-04-28 08:17 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-04-26 22:39 . 2008-04-26 22:41 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-26 22:22 . 2008-04-26 22:23 <DIR> d-------- C:\My Music
2008-04-26 22:20 . 2008-04-26 22:24 <DIR> d-------- C:\Program Files\FairStars MP3 Recorder
2008-04-25 08:47 . 2008-04-28 12:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-25 08:47 . 2008-04-25 08:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-23 16:35 . 2008-04-23 16:36 <DIR> d-------- C:\Program Files\i.Hex
2008-04-20 21:36 . 2008-04-20 21:36 <DIR> d-------- C:\Deckard
2008-04-17 11:42 . 2008-04-17 11:39 1,145,412 --a------ C:\WINDOWS\system32\borlandimports.rar
2008-04-17 11:42 . 2008-04-17 11:42 122,368 --a------ C:\WINDOWS\system32\KiPE.dll
2008-04-17 11:42 . 2008-04-17 11:39 82,203 --a------ C:\WINDOWS\system32\Rev 1152.rar
2008-04-17 11:42 . 2008-04-17 11:00 2,353 --a------ C:\WINDOWS\system32\MapleStory.lnk
2008-04-17 11:42 . 2008-04-14 00:09 527 --a------ C:\WINDOWS\system32\MASM32 Editor.lnk
2008-04-16 18:21 . 2008-04-16 18:21 <DIR> d-------- C:\Program Files\Visual Zip Password Recovery Processor
2008-04-16 17:03 . 2008-04-16 17:03 268 --ah----- C:\sqmdata04.sqm
2008-04-16 17:03 . 2008-04-16 17:03 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 11:39 . 2008-04-15 11:39 671 --a------ C:\WINDOWS\system32\newaddies.xtc
2008-04-14 22:56 . 2008-04-18 13:46 <DIR> d-------- C:\Sammy's Pin Cracker Log
2008-04-14 16:06 . 2008-04-14 16:06 4,706 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-14 11:40 . 2008-04-14 11:40 1,024 --a------ C:\.rnd
2008-04-14 00:07 . 2008-04-14 00:10 <DIR> d-------- C:\masm32
2008-04-13 23:49 . 2008-04-13 23:55 <DIR> d-------- C:\Program Files\MicroTools4U
2008-04-13 20:48 . 2008-04-13 20:49 <DIR> d-------- C:\Python25
2008-04-13 18:33 . 2008-04-13 18:33 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Nexon
2008-04-13 18:32 . 2008-04-13 18:32 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-13 18:32 . 2003-07-21 04:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-13 18:32 . 2005-01-04 19:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-13 17:56 . 2008-04-13 17:56 <DIR> d-------- C:\Nexon
2008-04-13 16:57 . 2008-04-13 16:57 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-13 16:57 . 2008-04-13 17:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-04-13 16:57 . 2008-04-13 16:58 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-13 16:54 . 2008-04-13 16:54 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-04-13 16:50 . 2008-04-13 16:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-13 16:50 . 2008-04-13 16:50 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-13 16:49 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-13 16:47 . 2008-04-13 16:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-13 16:04 . 2008-04-14 22:02 <DIR> d-------- C:\Program Files\AC Tool
2008-04-11 22:47 . 2008-04-12 09:24 <DIR> d-------- C:\Tools
2008-04-09 19:46 . 2008-04-09 19:46 <DIR> d-------- C:\Program Files\Opera
2008-04-09 19:12 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2008-04-09 19:10 . 2008-04-09 19:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-09 19:10 . 2008-04-09 19:10 <DIR> d-------- C:\ie-spyad
2008-04-09 19:09 . 2008-04-28 11:39 <DIR> d-------- C:\Program Files\SpywareGuard
2008-04-08 17:02 . 2008-04-08 19:44 <DIR> d-------- C:\Program Files\eMule
2008-04-06 15:30 . 2008-04-21 09:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 15:30 . 2008-04-06 15:30 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Malwarebytes
2008-04-06 15:30 . 2008-04-06 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 16:24 . 2008-04-05 16:24 <DIR> d-------- C:\WINDOWS\dog3 dir
2008-04-05 16:24 . 2008-04-05 16:24 471,040 --a------ C:\WINDOWS\dog3.scr
2008-04-05 16:24 . 2008-04-05 16:24 12,288 --a------ C:\WINDOWS\impborl.dll
2008-04-05 11:25 . 2008-04-28 11:53 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-05 10:55 . 2008-04-05 10:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-04 19:37 . 2008-04-04 19:37 <DIR> d-------- C:\Program Files\Panda Security
2008-04-04 19:18 . 2008-04-04 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 17:13 . 2008-04-04 17:13 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-04 16:49 . 2008-04-04 16:49 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Uniblue
2008-04-04 16:00 . 2008-04-04 16:28 <DIR> d-------- C:\Program Files\Zards software
2008-04-04 15:20 . 2008-04-05 11:22 40 --a------ C:\WINDOWS\system32\scolmpdain.xml
2008-04-03 17:38 . 2008-04-03 17:38 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-03 16:53 . 2008-04-03 17:38 <DIR> d-------- C:\VundoFix Backups
2008-04-03 16:20 . 2008-04-28 08:26 9,175,040 --a------ C:\Documents and Settings\Harry\ntuser.dat.rmbak
2008-04-02 21:36 . 2008-04-02 21:37 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-04-02 21:34 . 2008-04-02 21:37 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-04-02 19:49 . 2008-04-02 20:19 <DIR> d-------- C:\ConverterOutput
2008-04-02 19:45 . 2008-04-02 19:45 <DIR> d-------- C:\Program Files\Cucusoft
2008-04-02 19:45 . 2004-10-12 13:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-04-02 19:45 . 2004-10-12 13:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-04-02 19:45 . 2004-10-05 15:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-04-02 19:45 . 2004-10-12 13:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-04-02 19:45 . 2003-04-02 23:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-04-02 19:45 . 2004-10-04 00:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 01:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 22:25 --------- d-----w C:\Documents and Settings\Harry\Application Data\uTorrent
2008-04-20 23:50 98,304 ----a-w C:\WINDOWS\DUMP6580.tmp
2008-04-20 23:46 98,304 ----a-w C:\WINDOWS\DUMP7510.tmp
2008-04-20 11:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-20 04:18 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-13 12:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-13 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-13 06:51 --------- d-----w C:\Program Files\MSBuild
2008-04-04 07:21 --------- d-----w C:\Documents and Settings\Harry\Application Data\LimeWire
2008-04-04 07:21 --------- d-----w C:\Documents and Settings\Harry\Application Data\Desktop Sidebar
2008-04-03 10:47 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-22 11:49 --------- d-----w C:\Program Files\Total Video Converter
2008-03-14 10:54 --------- d-----w C:\Program Files\Google
2008-03-07 05:43 --------- d-----w C:\Program Files\Java
2008-02-16 10:08 164,952 ----a-w C:\WINDOWS\Audio Converter Pro Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-04-30 11:23 1433600 C:\WINDOWS\mixer.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 14:41 94208]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 07:21 1443072]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 10:15 861184]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 13:18 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 16:23 86016 C:\WINDOWS\StartupMonitor.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Harry\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnLfE]
opnnnLfE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-03 10:03 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
--a------ 2001-12-17 20:22 617984 C:\Program Files\ASUS\Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-29 05:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 22:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Tools\\Hydra\\hydra.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 07:21]
R3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2002-06-06 10:14]
S3 DAEDriver54;DAEDriver54;C:\Documents and Settings\Harry\Desktop\Maplestory Hacking\DAEng\dak32.sys [2008-03-03 16:12]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Harry\Desktop\hackpack\Moonlight engine 1152\IlvMoney1152.sys []
S3 LoveDRIVER53;LoveDRIVER53;C:\Documents and Settings\Harry\Desktop\Maplestory Hacking\Love Engine 0.2\Loveliss.sys [2008-02-25 18:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 12:25:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-28 02:03:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 12:01:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-28 12:09:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 02:08:57
ComboFix2.txt 2008-04-05 12:15:41
ComboFix3.txt 2008-04-05 01:33:16

Pre-Run: 15,035,768,832 bytes free
Post-Run: 15,050,711,040 bytes free

212 --- E O F --- 2008-04-25 00:47:42




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Here is my updated HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:48 PM, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1199270203968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: opnnnLfE - opnnnLfE.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7003 bytes



Also, I have started to get this other error, "The instruction 0xXXXXXXX referecned at memory 0xXXXXXXXXX could not be "read" Click OK to terminate the aplication." X is any number, as the address varies. It occurs for many programs, including wauclt.exe and others.

I forgot to mention, before I ran ComboFix. I was browsing the internet, and could not do a search with google. Instead, it took a lot longer than usual, and didn't even perform the search. It just opened a new Firefox browser containing all these ads. However the fix has caused my startup moniter and spyware guard to stop sending me alert messages about those programs trying to register an executable.
  • 0

#4
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Phugga,

Ok let continue…

Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\BMd3d35e05.xml
C:\WINDOWS\system32\muzika.xm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnLfE]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Needed in next reply:

Combofix.txt
Malwarebytes results
A new HijackThis log

Also let me know how things are running :)
  • 0

#5
Phugga

Phugga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is my ComboFix Log

ComboFix 08-04-26.5 - Harry 2008-04-29 22:10:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.219 [GMT 10:00]
Running from: C:\Documents and Settings\Harry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Harry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\BMd3d35e05.xml
C:\WINDOWS\system32\muzika.xm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\BMd3d35e05.xml
C:\WINDOWS\system32\muzika.xm

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-29 18:44 . 2008-04-29 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-29 18:42 . 2008-04-29 18:43 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-26 22:39 . 2008-04-26 22:41 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-26 22:22 . 2008-04-26 22:23 <DIR> d-------- C:\My Music
2008-04-26 22:20 . 2008-04-26 22:24 <DIR> d-------- C:\Program Files\FairStars MP3 Recorder
2008-04-25 08:47 . 2008-04-29 16:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-25 08:47 . 2008-04-25 08:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-23 16:35 . 2008-04-23 16:36 <DIR> d-------- C:\Program Files\i.Hex
2008-04-20 21:36 . 2008-04-20 21:36 <DIR> d-------- C:\Deckard
2008-04-17 11:42 . 2008-04-17 11:39 1,145,412 --a------ C:\WINDOWS\system32\borlandimports.rar
2008-04-17 11:42 . 2008-04-17 11:42 122,368 --a------ C:\WINDOWS\system32\KiPE.dll
2008-04-17 11:42 . 2008-04-17 11:39 82,203 --a------ C:\WINDOWS\system32\Rev 1152.rar
2008-04-17 11:42 . 2008-04-17 11:00 2,353 --a------ C:\WINDOWS\system32\MapleStory.lnk
2008-04-17 11:42 . 2008-04-14 00:09 527 --a------ C:\WINDOWS\system32\MASM32 Editor.lnk
2008-04-16 18:21 . 2008-04-16 18:21 <DIR> d-------- C:\Program Files\Visual Zip Password Recovery Processor
2008-04-15 11:39 . 2008-04-15 11:39 671 --a------ C:\WINDOWS\system32\newaddies.xtc
2008-04-14 22:56 . 2008-04-18 13:46 <DIR> d-------- C:\Sammy's Pin Cracker Log
2008-04-14 16:06 . 2008-04-14 16:06 4,706 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-14 11:40 . 2008-04-14 11:40 1,024 --a------ C:\.rnd
2008-04-14 00:07 . 2008-04-14 00:10 <DIR> d-------- C:\masm32
2008-04-13 23:49 . 2008-04-13 23:55 <DIR> d-------- C:\Program Files\MicroTools4U
2008-04-13 20:48 . 2008-04-13 20:49 <DIR> d-------- C:\Python25
2008-04-13 18:33 . 2008-04-13 18:33 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Nexon
2008-04-13 18:32 . 2008-04-13 18:32 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-13 18:32 . 2003-07-21 04:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-13 18:32 . 2005-01-04 19:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-13 17:56 . 2008-04-13 17:56 <DIR> d-------- C:\Nexon
2008-04-13 16:57 . 2008-04-13 16:57 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-13 16:57 . 2008-04-13 17:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-04-13 16:57 . 2008-04-13 16:58 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-13 16:54 . 2008-04-13 16:54 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-04-13 16:50 . 2008-04-13 16:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-13 16:50 . 2008-04-13 16:50 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-13 16:49 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-13 16:47 . 2008-04-13 16:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-13 16:04 . 2008-04-14 22:02 <DIR> d-------- C:\Program Files\AC Tool
2008-04-11 22:47 . 2008-04-12 09:24 <DIR> d-------- C:\Tools
2008-04-09 19:46 . 2008-04-09 19:46 <DIR> d-------- C:\Program Files\Opera
2008-04-09 19:12 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2008-04-09 19:10 . 2008-04-09 19:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-09 19:10 . 2008-04-09 19:10 <DIR> d-------- C:\ie-spyad
2008-04-09 19:09 . 2008-04-28 11:39 <DIR> d-------- C:\Program Files\SpywareGuard
2008-04-08 17:02 . 2008-04-08 19:44 <DIR> d-------- C:\Program Files\eMule
2008-04-06 15:30 . 2008-04-21 09:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 15:30 . 2008-04-06 15:30 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Malwarebytes
2008-04-06 15:30 . 2008-04-06 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 16:24 . 2008-04-05 16:24 <DIR> d-------- C:\WINDOWS\dog3 dir
2008-04-05 16:24 . 2008-04-05 16:24 471,040 --a------ C:\WINDOWS\dog3.scr
2008-04-05 16:24 . 2008-04-05 16:24 12,288 --a------ C:\WINDOWS\impborl.dll
2008-04-05 11:25 . 2008-04-28 11:53 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-05 10:55 . 2008-04-05 10:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-04 19:37 . 2008-04-04 19:37 <DIR> d-------- C:\Program Files\Panda Security
2008-04-04 19:18 . 2008-04-04 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 17:13 . 2008-04-04 17:13 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-04 16:49 . 2008-04-04 16:49 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Uniblue
2008-04-04 16:00 . 2008-04-04 16:28 <DIR> d-------- C:\Program Files\Zards software
2008-04-04 15:20 . 2008-04-05 11:22 40 --a------ C:\WINDOWS\system32\scolmpdain.xml
2008-04-03 17:38 . 2008-04-03 17:38 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-03 16:53 . 2008-04-03 17:38 <DIR> d-------- C:\VundoFix Backups
2008-04-03 16:20 . 2008-04-28 08:26 9,175,040 --a------ C:\Documents and Settings\Harry\ntuser.dat.rmbak
2008-04-02 21:36 . 2008-04-02 21:37 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-04-02 21:34 . 2008-04-02 21:37 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-04-02 19:49 . 2008-04-02 20:19 <DIR> d-------- C:\ConverterOutput
2008-04-02 19:45 . 2008-04-02 19:45 <DIR> d-------- C:\Program Files\Cucusoft
2008-04-02 19:45 . 2004-10-12 13:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-04-02 19:45 . 2004-10-12 13:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-04-02 19:45 . 2004-10-05 15:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-04-02 19:45 . 2004-10-12 13:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-04-02 19:45 . 2003-04-02 23:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-04-02 19:45 . 2004-10-04 00:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 01:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 22:25 --------- d-----w C:\Documents and Settings\Harry\Application Data\uTorrent
2008-04-20 23:50 98,304 ----a-w C:\WINDOWS\DUMP6580.tmp
2008-04-20 23:46 98,304 ----a-w C:\WINDOWS\DUMP7510.tmp
2008-04-20 11:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-20 04:18 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-13 12:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-13 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-13 06:51 --------- d-----w C:\Program Files\MSBuild
2008-04-04 07:21 --------- d-----w C:\Documents and Settings\Harry\Application Data\LimeWire
2008-04-04 07:21 --------- d-----w C:\Documents and Settings\Harry\Application Data\Desktop Sidebar
2008-04-03 10:47 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-22 11:49 --------- d-----w C:\Program Files\Total Video Converter
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 10:54 --------- d-----w C:\Program Files\Google
2008-03-07 05:43 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 10:08 164,952 ----a-w C:\WINDOWS\Audio Converter Pro Uninstaller.exe
2008-02-10 05:13 351,824 ----a-w C:\WINDOWS\system32\kingsoft_ciba_blin.exe
2008-02-03 01:15 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
.

((((((((((((((((((((((((((((( [email protected]_12.08.27.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 02:00:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 06:01:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
- 2008-02-14 05:58:53 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-29 08:44:39 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-04-30 11:23 1433600 C:\WINDOWS\mixer.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 14:41 94208]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 07:21 1443072]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 10:15 861184]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 13:18 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 16:23 86016 C:\WINDOWS\StartupMonitor.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Harry\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-03 10:03 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
--a------ 2001-12-17 20:22 617984 C:\Program Files\ASUS\Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-29 05:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 22:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Tools\\Hydra\\hydra.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 07:21]
R3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2002-06-06 10:14]
R3 FKLanse;FKLanse;C:\Documents and Settings\Harry\Desktop\GMS_V53_VIP\GMS_V53_VIP\ms.dat []
S3 DAEDriver54;DAEDriver54;C:\Documents and Settings\Harry\Desktop\Maplestory Hacking\DAEng\dak32.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Harry\Desktop\hackpack\Moonlight engine 1152\IlvMoney1152.sys []
S3 LoveDRIVER53;LoveDRIVER53;C:\Documents and Settings\Harry\Desktop\Maplestory Hacking\Love Engine 0.2\Loveliss.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - FKLANSE
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 12:25:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 06:24:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 22:14:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FKLanse]
"ImagePath"="\??\C:\Documents and Settings\Harry\Desktop\GMS_V53_VIP\GMS_V53_VIP\ms.dat"
.
Completion time: 2008-04-29 22:17:38
ComboFix-quarantined-files.txt 2008-04-29 12:16:56
ComboFix2.txt 2008-04-28 02:09:24
ComboFix3.txt 2008-04-05 12:15:41
ComboFix4.txt 2008-04-05 01:33:16

Pre-Run: 16,015,540,224 bytes free
Post-Run: 16,012,537,856 bytes free

218 --- E O F --- 2008-04-25 00:47:42


The Malware Bytes log. ( I removed two items)

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 34108
Time elapsed: 24 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



And the Updated HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:50 PM, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1199270203968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7408 bytes




Also, my computer seems to be running normally, I didn't receive any notices of harmful objects trying to run at startup, nor am I getting the memory error. Let's hope this conitnues, because some days are good, while others are horrific. Thank you for helping me thus far. :)
  • 0

#6
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
I'm glad to hear things are running normal, your logs are looking good so lets get one more scan just to make sure :)


ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Kaspersky WebScanner
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
Phugga

Phugga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is my log for the Kaspersky Online san. I read through it, and somethings, such as brutus, (which I use to test password strength) is considered a virus. If it is causing the problems, I will remove it, but I would rather keep it for my own purposes.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 01, 2008 7:02:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 733621
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 93824
Number of viruses found: 13
Number of infected objects: 37
Number of suspicious objects: 0
Duration of the scan process: 02:43:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02132008-194801.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\cert8.db Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\history.dat Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\key3.db Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\parent.lock Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Harry\Application Data\Nero\Nero8\Nero BackItUp\Cache\NBKeyScan.txt Object is locked skipped
C:\Documents and Settings\Harry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Harry\Desktop\General Hacking\Brutus\brutus-aet2.zip/BrutusA2.exe Infected: not-a-virus:PSWTool.Win32.Brutus skipped
C:\Documents and Settings\Harry\Desktop\General Hacking\Brutus\brutus-aet2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Harry\Desktop\General Hacking\Brutus\BrutusA2.exe Infected: not-a-virus:PSWTool.Win32.Brutus skipped
C:\Documents and Settings\Harry\Desktop\Installs\fairstars_mp3_recorder.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
C:\Documents and Settings\Harry\Desktop\Installs\[DB]_Naruto_Shippuuden_Movie_[75F57621].avi Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A6DDFD2F-BEB5-4278-BFEA-BAF9F1A6344A} Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Application Data\Mozilla\Firefox\Profiles\l49earc0.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\History\History.IE5\MSHist012008050120080502\index.dat Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Temp\~DF4769.tmp Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Temp\~DF8709.tmp Object is locked skipped
C:\Documents and Settings\Harry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Harry\ntuser.dat Object is locked skipped
C:\Documents and Settings\Harry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bgksxwqe.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mjyavhuq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnnnLfE.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pecoyyui.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\QooBox\Quarantine\catchme2008-04-28_115708.23.zip/mlJArqqO.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrq skipped
C:\QooBox\Quarantine\catchme2008-04-28_115708.23.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP113\A0215015.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP114\A0217084.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP135\A0252559.exe/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP135\A0252559.exe/bpkwb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP135\A0252559.exe/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP135\A0252559.exe/rinst.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP135\A0252559.exe RAR: infected - 4 skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP135\A0252559.exe RapSFX: infected - 4 skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP136\A0252582.exe/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP136\A0252582.exe/bpkwb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP136\A0252582.exe/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP136\A0252582.exe/rinst.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP136\A0252582.exe RAR: infected - 4 skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP136\A0252582.exe RapSFX: infected - 4 skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP143\A0294994.exe Infected: HackTool.Win32.Injecter.l skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP153\A0317206.EXE/is201792.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP153\A0317206.EXE CAB: infected - 1 skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP153\A0317207.EXE/is201792.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP153\A0317207.EXE CAB: infected - 1 skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP154\A0318245.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP154\A0318246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP154\A0318247.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP154\A0318339.exe Infected: HackTool.Win32.Injecter.l skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP154\A0318360.exe Infected: Trojan-PSW.Win32.Lmir.xe skipped
C:\System Volume Information\_restore{12E13E66-9A9B-4817-8B9F-452E65EDFAF2}\RP155\change.log Object is locked skipped
C:\Tools\Hydra\pw-inspector.exe Infected: not-a-virus:PSWTool.Win32.PWInspector.b skipped
C:\Tools\hydra-5.4-win.zip/hydra-5.4-win/pw-inspector.exe Infected: not-a-virus:PSWTool.Win32.PWInspector.b skipped
C:\Tools\hydra-5.4-win.zip ZIP: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\S5A1136F0.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\~DFEACC.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#8
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Phugga,

Your log is fine, and you can keep your password tools. All the infections found were found in quarantine and system restore, and we are about to clean them out right now :) .



ComboFix Removal
  • Follow these steps to uninstall Combofix and tools used in the removal of malware
    [List]
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

===============================================

This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Posted Image 1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Posted Image 4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!
  • 0

#9
Phugga

Phugga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
THANK YOU VERY MUCH. My computer seems to be running fine now, without any problems, (though a bit too slow). I have installed all the programs in your last reply, and hope I will no longer have any more problems with my computer. Again, thank you for helping me.
  • 0

#10
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
You’re welcome, glad I could help….. good luck with your training!

See you around, and safe surfing :)
  • 0

#11
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP