[papelex69]

Hi,

Can someone help me pls. None of the spyware,malware virus removers had found something.
The problem is that when I'm working @ homr, my Internet connection hardly works.
When I look to my netstat I see that my services.exe takes all tcp connections.
When removing these connections, new ones are popping up......!!

When I work @ at my office, this phenomenon doesn't appear to happen. (probably the company blocks the used ports.
I'll send a hijack log file.
Can someone pls look at this..

Thnx.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:46, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\bmwebcfg.exe
C:\Program Files\AGFA\Agfa VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINNT\system32\nvsvc32.exe
D:\oracle\product\9.2.0\db_1\BIN\TNSLSNR.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\WINNT\system32\mqtgsvc.exe
C:\Program Files\NetInst\NiAiServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\WLTRAY.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\stsystra.exe
C:\Program Files\AGFA\AgfaNiAgent.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
D:\Profiles\awgcg\LOCALS~1\Temp\UnlockerAssistant.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\vVX3000.exe
C:\WINNT\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINNT\system32\wbem\wmiapsrv.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AWGCG.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.agfanet/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ig?hl=nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ICS 071120 (proxy.ict)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-pac.ict...2/ie-config.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ict:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.Smartpipes.Net;*.esm.uu.Net;*.Xapps.ops.us.uu.net;*.Worldcom.Net;*.mci.Net;pbk
.mci.com;esmws1.mci.Com;192.168.*.*;10.*.*.*;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - (no file)
O2 - BHO: Swodum Proxy Toolbar Helper - {D85A260B-4A52-4498-85F4-682BACB5EEBB} - C:\PROGRA~1\Swodum\PROXYT~1\swprxie.dll
O2 - BHO: HttpWatch Basic - {F1F69322-008F-4895-B2BF-AD194219825A} - d:\Program Files\HttpWatch\httpwatchsc.dll
O3 - Toolbar: Swodum Proxy Toolbar - {A86B2D27-3653-46B1-8FB5-644FCEF56D14} - C:\PROGRA~1\Swodum\PROXYT~1\swprxie.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AgfaNiAgnt] "C:\Program Files\AGFA\AgfaNiAgent.exe" /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Profiles\awgcg\LOCALS~1\Temp\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINNT\vVX3000.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ReleaseManager] \\10.233.84.54\Orbis_Sync\releasemanager\ReleaseManager.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: TransBar.lnk = C:\WINNT\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Global Startup: Bginfo.lnk = C:\Program Files\AGFA\Bginfo.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobiele favorieten maken... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - d:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - d:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intra.agfanet
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1210921813125
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink Edit Control) - https://livelink.mit...edit/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.local
O17 - HKLM\Software\..\Telephony: DomainName = emea.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emea.local,local,imz.local,be.local,imz.be
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = emea.local,local,be.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = emea.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = emea.local,local,be.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = emea.local,local,be.local
O18 - Protocol: qpic - {F20816C2-B39E-47C5-95A4-94A5E6D172C7} - d:\PROGRA~1\QUESTS~1\PERFOR~1\Oracle\QUESTA~1\qpic.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\NetInst\NiAMH.dll
O22 - SharedTaskScheduler: hyperproduction - {9d19a1a9-3cdf-4f15-a5ca-ea3905febded} - (no file)
O23 - Service: AGFARISWinSockLayer_HL7ORU - AGFA Healthcare Connectivity Gent - d:\agfa\interfaces\bin\agfawinsocklayer.exe
O23 - Service: AGFARISWinSockLayer_XMLORD - AGFA Healthcare Connectivity Gent - d:\agfa\interfaces\bin\agfawinsocklayer.exe
O23 - Service: AGFARISWinSockLayer_XMLORU - AGFA Healthcare Connectivity Gent - d:\agfa\interfaces\bin\agfawinsocklayer.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINNT\system32\bmwebcfg.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\AGFA\Agfa VPN Client\cvpnd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NetInstall Service (NIAIServ) - enteo Software GmbH - C:\Program Files\NetInst\NiAiServ.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NetInstall Executive (NiExServ) - enteo Software GmbH - C:\Program Files\NetInst\NiExServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OracleOracle_Home920Agent - Oracle Corporation - D:\oracle\product\9.2.0\db_1\bin\agntsrvc.exe
O23 - Service: OracleOracle_Home920ClientCache - Unknown owner - D:\oracle\product\9.2.0\db_1\BIN\ONRSD.EXE
O23 - Service: OracleOracle_Home920SNMPPeerEncapsulator - Unknown owner - D:\oracle\product\9.2.0\db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOracle_Home920SNMPPeerMasterAgent - Unknown owner - D:\oracle\product\9.2.0\db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOracle_Home920TNSListener - Unknown owner - D:\oracle\product\9.2.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceHIS - Oracle Corporation - d:\oracle\product\9.2.0\db_1\bin\ORACLE.EXE
O23 - Service: QAM Launcher 3566 (QuestLauncher3566) - Quest Software, Inc. - D:\Program Files\Quest Software\Performance Analysis Server\agents\bin\quest_launcher.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe

--
End of file - 14368 bytes

[Advertisements]

Hello Papelex69,

Welcome to Geekstogo.

I am analysing your log and will get back to you in a bit.

[emeraldnzl]

Hello Papelex69,

Welcome to Geekstogo.

I am analysing your log and will get back to you in a bit.

[emeraldnzl]

Hello again papelex69,

Your machine is infected.

Before we do anything we should start from a sound base.

-------------------------------------------------------------------

• Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line. You may want to do this following each post for each set of instructions.
• It is important you carry out instructions exactly in the order they appear. If however for some reason you cannot carry out one of them, please move on to the next and let me know in the next post what happened.

-------------------------------------------------------------------

Next

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt in your next reply.

• Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  
  -----Step 2-----
  
  Download and scan with SUPERAntiSpyware Free for Home Users
  
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
  
  -----Step 3-----
  
  Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
  So when you return please post:
• contents of Vundo fix.txt
• SuperAntiSpyware scan results
• results of Deckards System Scan

[papelex69]

Alle requested logs are uploaded.

Thnx in advance,

AD.

Attached Files

•  logs.zip   19.44KB   329 downloads

[papelex69]

Extra information...

As i was at a customer's site, they complained that my laptop was sending e-mails towads everyone.

As I examined my TCP connections, you could see a lot of *.snmp sessions.
All of them had the status SYNC_EVENT.... When I delete them, new entries will come up!!

kr,
AD.

[emeraldnzl]

Hello again papelex69,

Still seems to be infection there. Use of Keygens always results in infection.

Question: There is a file there "LMIIgnition.exe" which could either be related to your infection or could be because of a remote connection to your computer...say from work. Please tell me if you have a remote connection to your machine.

Now

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\WINNT\system32\4cffa149
  D:\SOFTWARE\TOTAL COMMANDER 7
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0627638b-d489-11dc-841f-0016419da532}
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0973f804-cb01-11db-8bbc-0016419da532}
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c23e737-c802-11dc-9fbb-0016419da532}
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{929b8a04-c40a-11dc-91cd-0016cf4eabdf}
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

So when you return

• tell me about a possible remote connection
• post contents of OTMoveIt2 report
• post Combofix text
• post a new HijackThis log

Also would you please post the reports in this thread. It doesn't matter if it takes more than one post. Analysing your logs is harder from unzipped files outside the forum.

[papelex69]

hello,
I downloaded the OTMoveIt2 by OldTimer & removed all mentioned files.
ComboFix was the trick that released my pc from the spyware/malware....

Now I don't have the problem anymore.
If possible, pls investigate the last hijack.log I've made.

many thnx in advance.

AD.

Attached Files

•  hijackthis.txt   13.7KB   408 downloads

[emeraldnzl]

Hi papelex69,

Your log looks good now. Just a couple of things.

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Next

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Now

• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

-------------------------------------------------------------------------------------------------------------------

Check your Java; quite often people find there edition is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JDK) Update and save it to your desktop or the folder you usually download to.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop or Download folder.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop or Download folder double-click on the Java exe to install the newest version.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:

• CCleaner

Care: Do NOT run this program if you have XP Professional 64 bit edition.

Note: Unless you are an expert ensure that in the Advanced Option section only Old Prefetch Data is checked . By default this is the case but check, just to make sure. Also it is probably not necessary to run the registry clean option but if you do, ensure you click "yes" to the back up option, before cleaning.
--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

• SUPERAntiSpyware Free for Home Users to detect and remove spyware.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here is a free one available for personal use:

• Comodo

and a good antivirus (these are also free for personal use):

• AVG Anti-Virus or
• AVIRA

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting

• Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

• AdAware SE Personal
  
• Spybot Search & Destroy

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!