Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan_DNS changer and Trojan-downloader.popuper


  • Please log in to reply

#31
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi ash :)

I've discussed this with experts, and here's what we're going to do.

Step1 : Setting Auto DNS

Click Start > Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category,otherwise double click on Network Connections. Right click on your default connection, usually Local Area Connection (LAN) for Cable and DSL, and click on Properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks to.

Step2 : HijackThis fix in Safe Mode

Now, we'll make a fix in Safe Mode.

Please save the following instructions in a notepad file on your desktop as you will not be able to access this website during this stage of the fix.

Restart your computer and as soon as it start booting up, continuously press F8. A menu will show up. Choose Safe Mode using the arrow keys and press enter. Note that Safe Mode might take some time to load, so please be patient.

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the windowm IF PRESENT: (Do NOT click Fix yet!)
O17 - HKLM\System\CCS\Services\Tcpip\..\{41769AAE-BC93-46B4-8744-8C5CA69F5DBF}: NameServer = 85.255.116.164 85.255.112.81


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer. It will reboot back into Normal Mode.

Step3 : OTScanIt

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Attach the information back here (Browse for the file, then click OK. After that, click the green UPLOAD button). I will review it when it comes in.

Step4 : Updating Java

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

In your next reply, please attach the OTScanIt log and provide me a fresh DSS log as well as a report on the system's behavior.

Tal
  • 0

Advertisements


#32
ash_9118

ash_9118

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
The notepad has been uploded. And no connection problems so far.

Attached Files


  • 0

#33
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Don't forget the DSS log. You may also reboot your PC several times, let me know if the problem returns.
  • 0

#34
ash_9118

ash_9118

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I have removed all existing Java program and installed the one you told me to. I am no Expert Malware surgeon, but i can tell that 017 line is correct this time. I am going to reboot my computer like you told me to see if there are any strange behaviors. Then i will reply again.
Now the Fresh DSS log:
Deckard's System Scanner v20071014.68
Run by admin on 2008-05-24 12:19:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:01 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\Desktop\Ashwin\Fixing comp\dss.exe
C:\DOCUME~1\admin\Desktop\Ashwin\Other\HJ\admin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201821736265
O17 - HKLM\System\CCS\Services\Tcpip\..\{41769AAE-BC93-46B4-8744-8C5CA69F5DBF}: NameServer = 216.254.141.13 209.90.160.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5610 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 10:19:16 0 d-------- C:\Program Files\Spyware Doctor
2008-05-24 10:19:16 0 d-------- C:\Documents and Settings\admin\Application Data\PC Tools
2008-05-24 10:07:36 1312 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-24 10:07:36 40992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-24 09:59:04 93440 --a------ C:\WINDOWS\system32\drivers\pctfw.sys <Not Verified; PC Tools; PC Tools NDIS Driver>
2008-05-24 09:59:00 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-20 18:06:32 0 d-------- C:\Program Files\Common Files\L&H
2008-05-20 01:36:14 0 d-------- C:\Documents and Settings\admin\Application Data\Yahoo! Messenger
2008-05-18 13:28:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-18 13:28:01 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 17:14:05 5505024 --a------ C:\Documents and Settings\admin\ntuser.dat
2008-05-12 20:32:05 0 dr-h----- C:\Documents and Settings\admin\Recent
2008-05-11 08:52:13 393216 --a------ C:\WINDOWS\system32\iMagicErrorLibrary.dll <Not Verified; iMagic; Innovasys vbCodeShield>
2008-05-11 08:52:12 161280 --a------ C:\WINDOWS\system32\TALBC.DLL
2008-05-11 08:52:12 163840 --a------ C:\WINDOWS\system32\FlicPlusSDK_Win32_API.dll
2008-05-11 08:52:11 0 d-------- C:\Program Files\iMagic Inventory
2008-05-09 13:11:32 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-05-08 17:10:18 0 d-------- C:\Program Files\Google
2008-05-07 16:50:58 0 d--h----- C:\$AVG8.VAULT$
2008-05-07 16:38:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-07 16:38:01 0 d-------- C:\Documents and Settings\admin\Application Data\AVGTOOLBAR
2008-05-07 16:37:53 0 d-------- C:\Program Files\AVG
2008-05-07 16:37:53 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-06 21:40:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-04 22:15:00 225 --a------ C:\WINDOWS\fastaero_config
2008-05-03 16:43:14 0 d-------- C:\Documents and Settings\admin\Application Data\Help
2008-05-02 23:53:30 0 d--h----- C:\Documents and Settings\admin\Recent(2)
2008-05-02 21:04:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-02 18:46:33 0 d-------- C:\Program Files\HyCam2
2008-05-02 18:43:25 2048 --a------ C:\WINDOWS\system32\Tr_sttool.dat
2008-05-02 18:43:24 0 d-------- C:\Program Files\Bulent's Screen Recorder 4
2008-05-02 14:58:41 0 d-------- C:\Documents and Settings\admin\dwhelper
2008-05-02 13:44:10 233472 -----n--- C:\WINDOWS\system32\wpcap.dll <Not Verified; CACE Technologies; WinPcap high level library>
2008-05-02 13:44:10 61440 -----n--- C:\WINDOWS\system32\WanPacket.dll <Not Verified; CACE Technologies; WinPcap low level NetMon wrapper library>
2008-05-02 13:44:10 81920 -----n--- C:\WINDOWS\system32\Packet.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2008-05-02 13:44:10 32512 -----n--- C:\WINDOWS\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
2008-05-01 16:09:35 0 d-------- C:\Program Files\iTunes
2008-05-01 15:46:27 0 d-------- C:\Documents and Settings\admin\Application Data\DivX
2008-05-01 13:36:15 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-25 19:20:18 0 d-------- C:\Program Files\SonicWallES
2008-04-25 14:16:51 0 d-------- C:\Documents and Settings\LocalService\Desktop


-- Find3M Report ---------------------------------------------------------------

2008-05-24 12:18:24 0 d-------- C:\Program Files\Java
2008-05-24 10:18:51 0 d-------- C:\Documents and Settings\admin\Application Data\utorrent
2008-05-24 10:04:59 0 d-------- C:\Program Files\PC Tools Firewall Plus
2008-05-24 09:59:00 0 d-------- C:\Program Files\Common Files
2008-05-24 09:52:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-23 18:13:41 0 d-------- C:\Program Files\LimeWire
2008-05-22 20:44:14 0 d-------- C:\Documents and Settings\admin\Application Data\FileZilla
2008-05-17 15:51:43 0 d-------- C:\Documents and Settings\admin\Application Data\Mozilla
2008-05-09 01:35:03 0 d-------- C:\Program Files\Safari
2008-05-04 16:03:46 0 d-------- C:\Program Files\DivX
2008-05-04 15:43:48 685775 --a------ C:\Documents and Settings\admin\Application Data\NMM-MetaData.db
2008-05-02 14:46:40 0 d-------- C:\Program Files\QuickTime
2008-05-01 19:30:36 0 d-------- C:\Program Files\Apple Software Update
2008-05-01 16:09:42 0 d-------- C:\Program Files\iPod
2008-04-22 18:08:22 0 d-------- C:\Program Files\Common Files\BitDefender
2008-04-22 18:08:14 0 d-------- C:\Program Files\BitDefender
2008-04-22 13:07:07 0 d-------- C:\Documents and Settings\admin\Application Data\CDBurnerXP_Soft
2008-04-22 13:06:45 0 d-------- C:\Program Files\CDBurnerXP
2008-04-20 13:56:20 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-19 23:27:47 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-18 21:20:00 0 d-------- C:\Documents and Settings\admin\Application Data\PowerChallenge
2008-04-15 19:26:18 0 d-------- C:\Documents and Settings\admin\Application Data\LimeWire
2008-04-14 14:41:34 50880 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-13 15:17:24 0 d-------- C:\Program Files\MSECache
2008-04-12 22:03:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-11 21:32:47 0 d-------- C:\Program Files\Wisdom-soft MotionStudio
2008-04-08 22:44:57 0 d-------- C:\Program Files\Adobe CS3
2008-04-07 17:23:51 0 d-------- C:\Documents and Settings\admin\Application Data\NCH Swift Sound
2008-04-06 15:33:20 0 d-------- C:\Documents and Settings\admin\Application Data\Microsoft Games
2008-04-06 14:57:56 0 d-------- C:\Program Files\uTorrent
2008-04-05 16:21:06 0 d-------- C:\Program Files\Yahoo!
2008-04-05 14:52:20 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-05 14:52:19 0 d-------- C:\Program Files\MSN Messenger
2008-04-05 14:43:03 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 14:16:57 0 d-------- C:\Program Files\Windows Live
2008-03-31 17:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 17:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 17:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 17:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 17:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-30 21:06:03 0 d-------- C:\Documents and Settings\admin\Application Data\Nokia Multimedia Player
2008-03-24 18:22:15 0 d-------- C:\Documents and Settings\admin\Application Data\Ulead Systems
2008-03-24 18:18:07 0 d-------- C:\Program Files\Common Files\SONY Digital Images
2008-03-24 18:18:04 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-24 18:16:16 0 d-------- C:\Program Files\SmartSound Software
2008-03-24 18:14:44 0 d-------- C:\Program Files\Windows Media Components
2008-03-24 18:11:00 0 d-------- C:\Program Files\Ulead Systems
2008-03-21 16:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 16:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 16:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 16:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-12 10:00:31 2578 --a------ C:\WINDOWS\mozver.dat
2008-02-27 16:52:31 49152 --a------ C:\WINDOWS\system32\ArmAccess.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
05/11/2008 12:29 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [05/11/2008 12:29 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/07/2008 04:37 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [02/25/2008 04:49 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
C:\DOCUME~1\admin\LOCALS~1\Temp\~evxtefq.tmp\temp00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^F-Secure Automatic Update.lnk]
backup=C:\WINDOWS\pss\F-Secure Automatic Update.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]




-- End of Deckard's System Scanner: finished at 2008-05-24 12:20:52 ------------

Edited by ash_9118, 24 May 2008 - 10:24 AM.

  • 0

#35
ash_9118

ash_9118

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Wow, You guys are a genius!!! My computer is Fixed!!! Just one question, with PC tools firewall Plus, that ip address 85.something. Wasnt being blocked. But when i turn on Zonealarm it does. But i dont like Zonealram for somereason. Can you recommend any good free updateable firewall?
  • 0

#36
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Different firewalls have different detection rates. PC Tools firewall, to be honest with you, is not the best of the firewalls. There are better free solutions, in fact. I don't really like ZoneAlarm either. A great free firewall that is one of the best in the market is Comodo Free Firewall (click the link). It's light and has great detection rates, plus it's not 'annoying' - it filters out legitimate entries automatically.

That address appears to be legitimate and belongs to your ISP - is your ISP is Primus Canada? If so, that is a legit entry. Do you have any additional questions? :)

Tal

Edited by Tal, 24 May 2008 - 01:37 PM.

  • 0

#37
ash_9118

ash_9118

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
It is Primus Canada. I installed Comodo firewall, and where can i find the ip addreses blocked. I am able to find the application blocked but not ip's blocked.

Edited by ash_9118, 25 May 2008 - 12:45 PM.

  • 0

#38
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Not sure - I think there is a log somewhere there, you can try looking at the settings. It will ask you if any non-Windows (or non recognized) process or IP address tries to access the internet, so don't worry. Also I want to point out that you should be only running one anti-virus and one firewall at a time, otherwise they conflict and cause lower detection rates and a system slowdown as well. :)

Well, it looks like you're clean. Below are some steps to keep your computer clean, as you asked.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:
and a good antivirus (these are also free for personal use):
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

Tal
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP