Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected with Trojan Horse Downloader.Delph.AN [RESOLVED]


  • This topic is locked This topic is locked

#1
fozzy182

fozzy182

    New Member

  • Member
  • Pip
  • 9 posts
I have an infected pc that I cannot rid of a Trojan Horse Downloader.Delph.AN.I have used the following applications to rid the system of this:

AVG
Symantec Anti-virus
A2 anti-virus
Counterspy
Spybot
Ad-Aware
Superantispyware
CWShredder
ATF
Hijackthis
Killbox

and several more.None of these effectively cleaned it.I removed all entries in the registry that were linked to the infected files as well.Nothing seems to actually keep it from returning.At this point I'm frustrated and don't have the time to dedicated to keep fighting it.I come humble with my pride sucked up fully.Please help, and thanks in advance.I have cleaned all temp files already and below is my Hijackthis log and Malwarebytes log files.


Malwarebytes' Anti-Malware 1.14
Database version: 818

3:53:04 PM 6/3/2008
mbam-log-6-3-2008 (15-53-04).txt

Scan type: Quick Scan
Objects scanned: 45650
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:47 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\mssql2k\MSSQL\binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
c:\mssql2k\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\ClientManager.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\DeploymentServiceModule.exe
C:\Program Files\SEDC\ClientVerificationComponent\v1.0.0.0711\ClientVerificationComponent.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beci.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by - BECI
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3697E8F3-2263-4D98-902F-0E27F8315400} - C:\WINDOWS\system32\dspropj.dll
O2 - BHO: (no name) - {D4BEE954-326A-4C6E-A1CA-5CEBECFAF652} - c:\windows\system32\lqjrcml.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Client Management Components.lnk = C:\Program Files\SEDC\ClientManagement\AppLauncher.exe
O4 - Global Startup: SEDC Client Settings.lnk = C:\Program Files\SEDC\ClientManagement\UtilityLauncher.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.devl9000
O15 - Trusted IP range: 10.20.30.8
O15 - Trusted IP range: http://10.20.30.8
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191688457629
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191688445504
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\Software\..\Telephony: DomainName = coop.beci.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O20 - Winlogon Notify: tkhrggtu - C:\WINDOWS\SYSTEM32\lqjrcml.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lync USB Auditor Service (LyncUSBServ) - Lync Software Pty Ltd - C:\WINDOWS\system32\lyncusb.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SEDC Deployment Service - - c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

--
End of file - 6765 bytes
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi fozzy182, welcome to GeeksToGo!

I am currently reviewing your log and will post back soon.

Please take note of the following points.
  • Please keep in mind that there may be a time difference between us, If you are not in the GMT +1 time zone, than you can expect a slight delay.
  • Please do not run any tools other than what I request of you to run. Some of the tools we will use are very powerful, and using them without the required knowledge could cause more damage and prove to be more troublesome than the problem you are currently facing.
  • If at any time you have a doubt about what you are to do, please stop there and ask. No question is considered dumb here at GeeksToGo!.

Thanks,

Mike :)
  • 0

#3
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again fozzy182,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out :)
If you cannot complete a step in my instructions, please skip it and continue with the rest of my instructions and tell me in your next reply which one you were having trouble with.

We will need to temporarily disable CounterSpy as it could conflict with our fixes.

1. Right-click the running icon of CounterSpy in the system tray.
2. With your mouse, hover over Active Protection Status (This should be enabled).
3. A menu will slide out and then you need to right click on "Disable Active Protection".

Step 1. Fixes with Hijack This

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O4 - HKLM\..\Run: [ccApp] -
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)


Now please close all open windows except HJT and press "Fix checked".

Step 2. Combofix

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, please don't overlook this!

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

and finally,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply

Please post the log from Combofix.
Please post the uninstall list.
Please post a new Hijack This log after running combofix.

If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 04 June 2008 - 01:56 PM.

  • 0

#4
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Running from: C:\Documents and Settings\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\system32\lqjrcml.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PUXZYBTK
-------\Service_puxzybtk


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 10:07 . 2008-06-04 10:12 <DIR> d-------- C:\!KillBox
2008-06-04 09:18 . 2008-06-04 09:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-04 09:17 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-06-04 08:33 . 2008-06-04 08:42 <DIR> d-------- C:\Program Files\Citrix
2008-06-03 16:04 . 2008-06-03 16:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 15:47 . 2008-06-03 15:47 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Malwarebytes
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 14:57 . 2008-06-03 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 12:10 . 2008-06-03 14:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-03 12:04 . 2008-06-03 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-06-03 11:56 . 2008-06-03 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-02 11:18 . 2008-06-02 11:18 15,280 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-06-02 10:17 . 2008-06-03 16:02 <DIR> d-------- C:\Program Files\ht
2008-06-02 10:16 . 2008-06-03 11:09 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Lavasoft
2008-06-02 09:27 . 2008-06-03 11:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 09:27 . 2008-06-03 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 15:57 . 2008-05-27 15:57 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Sunbelt Software
2008-05-27 15:57 . 2008-05-27 15:57 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-05-27 15:57 . 2008-05-27 15:57 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-05-27 15:56 . 2008-05-27 15:56 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-05-27 09:48 . 2006-02-28 07:00 88,064 --a------ C:\WINDOWS\system32\dspropj.dll
2008-05-23 12:19 . 2008-05-23 12:19 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\svogxfyu
2008-05-23 11:52 . 2008-05-23 11:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\svogxfyu
2008-05-23 10:20 . 2008-05-23 11:52 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-05-23 10:20 . 2008-05-23 10:20 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-05-23 10:20 . 2008-05-23 10:20 196,608 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 14:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 14:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-21 14:58 --------- d-----w C:\Documents and Settings\rpickering\Application Data\Vurv Express
2008-04-21 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:54 --------- d-----w C:\Program Files\Vurv Express
2008-04-21 14:54 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-15 19:41 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-14 19:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 14:36 --------- d-----w C:\Program Files\Common Files\UAI
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3697E8F3-2263-4D98-902F-0E27F8315400}]
2006-02-28 07:00 88064 --a------ C:\WINDOWS\system32\dspropj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4BEE954-326A-4C6E-A1CA-5CEBECFAF652}]
2006-02-28 07:00 84480 --a------ c:\windows\system32\lqjrcml.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"kf7blz1"="C:\WINDOWS\system32\kf7blz1.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"StartCounterSpyIconApp"="C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe" [2007-12-21 13:19 711152]
"kf7blz1"="C:\WINDOWS\system32\kf7blz1.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Client Management Components.lnk - C:\Program Files\SEDC\ClientManagement\AppLauncher.exe [2005-03-04 20:27:56 24576]
SEDC Client Settings.lnk - C:\Program Files\SEDC\ClientManagement\UtilityLauncher.exe [2006-06-28 08:46:26 20480]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-06-28 14:30:02 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kf7blz1]
C:\WINDOWS\system32\kf7blz1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 dppczuza;dppczuza;C:\WINDOWS\system32\drivers\dppczuza.sys [2006-02-28 07:00]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-02 11:18]
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 12:38]
R2 CounterSpyAgent;CounterSpyAgent;"C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe" [2007-12-21 13:19]
R2 SEDC Deployment Service;SEDC Deployment Service;c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe [2007-10-12 05:14]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 VPREMOTE;VPRemote Install Bootstrap Service;C:\TEMP\Clt-Inst\vpremote.exe []

*Newly Created Service* - SBAPIFS
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL2k\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\MSSQL2k\MSSQL\Binn\sqlagent.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\DeploymentServiceModule.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\SEDC\ClientVerificationComponent\v1.0.0.0711\ClientVerificationComponent.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\ClientManager.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\OINFOP11.EXE
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-05 8:59:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 13:59:24

Pre-Run: 10,438,307,840 bytes free
Post-Run: 10,371,276,800 bytes free

151

Edited by fozzy182, 05 June 2008 - 08:02 AM.

  • 0

#5
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Uninstall list:

Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.2
ArcGIS License Manager
CounterSpyAgent
Dell ResourceCD
ESRI MapObjects 2 Runtime
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Connections Drivers
LiveReg (Symantec Corporation)
LiveUpdate 3.1 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Outlook 2003
Microsoft Office Standard Edition 2003
Microsoft SQL Server 2000
Microsoft Visual C++ 2005 Redistributable
Performance Impact Workplace 2.01 - Workstation
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
SEDC Client Management Components
Sentinel System Driver 5.41.1 (32-bit)
SoundMAX
Symantec AntiVirus
Symantec pcAnywhere
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Utility Center
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781



Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04, on 2008-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\mssql2k\MSSQL\binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\mssql2k\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\DeploymentServiceModule.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SEDC\ClientVerificationComponent\v1.0.0.0711\ClientVerificationComponent.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\ClientManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beci.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3697E8F3-2263-4D98-902F-0E27F8315400} - C:\WINDOWS\system32\dspropj.dll
O2 - BHO: (no name) - {D4BEE954-326A-4C6E-A1CA-5CEBECFAF652} - c:\windows\system32\lqjrcml.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe
O4 - HKLM\..\Run: [kf7blz1] C:\WINDOWS\system32\kf7blz1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kf7blz1] C:\WINDOWS\system32\kf7blz1.exe
O4 - Global Startup: Client Management Components.lnk = C:\Program Files\SEDC\ClientManagement\AppLauncher.exe
O4 - Global Startup: SEDC Client Settings.lnk = C:\Program Files\SEDC\ClientManagement\UtilityLauncher.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.devl9000
O15 - Trusted IP range: 10.20.30.8
O15 - Trusted IP range: http://10.20.30.8
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191688457629
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191688445504
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\Software\..\Telephony: DomainName = coop.beci.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O20 - Winlogon Notify: tkhrggtu - C:\WINDOWS\SYSTEM32\lqjrcml.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lync USB Auditor Service (LyncUSBServ) - Lync Software Pty Ltd - C:\WINDOWS\system32\lyncusb.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SEDC Deployment Service - - c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

--
End of file - 7062 bytes


Thanks so much for the help, it's greatly appreciated!
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there fozzy182,

Step 1. Installing the Recovery Console

I would like you to install the Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, you will not need to do this step.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After you have done this proceed with the next steps.

Step 2. Making a CFScript

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
http://www.geekstogo.com/forum/Infected-Trojan-Horse-Downloader-Delph-AN-t200377.html
 
 Collect::
 C:\WINDOWS\system32\drivers\dppczuza.sys
 C:\WINDOWS\system32\lqjrcml.dll
 C:\WINDOWS\system32\dspropj.dll
 C:\WINDOWS\system32\kf7blz1.exe
 
 DirLook::
 C:\Program Files\ht
 
 Folder::
 C:\Documents and Settings\rpickering\Application Data\svogxfyu
 C:\Documents and Settings\NetworkService\Application Data\svogxfyu
 
 Driver::
 dppczuza
 
 Registry::
 [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3697E8F3-2263-4D98-902F-0E27F8315400}]
 
 [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4BEE954-326A-4C6E-A1CA-5CEBECFAF652}]
 
 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "kf7blz1"=-
 
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "kf7blz1"=-
 
 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kf7blz1]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply. Post back with a new Hijack This log as well.
  • 0

#7
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-06-04.5 - rpickering 2008-06-05 12:09:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.476 [GMT -5:00]
Running from: C:\Documents and Settings\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rpickering\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\svogxfyu
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\profiles.ini
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\cert8.db
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\compatibility.ini
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\compreg.dat
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\cookies.sqlite
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\formhistory.sqlite
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\key3.db
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\localstore.rdf
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\permissions.sqlite
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\places.sqlite-journal
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\places.sqlite
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\pluginreg.dat
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\prefs.js
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\secmod.db
C:\Documents and Settings\NetworkService\Application Data\svogxfyu\Profiles\t6hb8rfc.default\xpti.dat
C:\Documents and Settings\rpickering\Application Data\svogxfyu
C:\Documents and Settings\rpickering\Application Data\svogxfyu\profiles.ini
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\cert8.db
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\compatibility.ini
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\compreg.dat
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\cookies.sqlite
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\formhistory.sqlite
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\key3.db
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\localstore.rdf
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\permissions.sqlite
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\places.sqlite-journal
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\places.sqlite
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\pluginreg.dat
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\prefs.js
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\secmod.db
C:\Documents and Settings\rpickering\Application Data\svogxfyu\Profiles\lvwhpyel.default\xpti.dat
C:\WINDOWS\system32\drivers\dppczuza.sys
C:\WINDOWS\system32\dspropj.dll
C:\WINDOWS\system32\lqjrcml.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DPPCZUZA
-------\Service_dppczuza
-------\Service_puxzybtk


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 12:08 . 2007-12-21 13:19 27,120 --a------ C:\WINDOWS\system32\SBBD.exe
2008-06-04 10:07 . 2008-06-04 10:12 <DIR> d-------- C:\!KillBox
2008-06-04 09:18 . 2008-06-04 09:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-04 09:17 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-06-04 08:33 . 2008-06-04 08:42 <DIR> d-------- C:\Program Files\Citrix
2008-06-03 16:04 . 2008-06-03 16:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 15:47 . 2008-06-03 15:47 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Malwarebytes
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 14:57 . 2008-06-03 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 12:10 . 2008-06-03 14:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-03 12:04 . 2008-06-03 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-06-03 11:56 . 2008-06-03 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-02 11:18 . 2008-06-02 11:18 15,280 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-06-02 10:17 . 2008-06-03 16:02 <DIR> d-------- C:\Program Files\ht
2008-06-02 10:16 . 2008-06-03 11:09 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Lavasoft
2008-06-02 09:27 . 2008-06-03 11:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 09:27 . 2008-06-03 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 15:57 . 2008-05-27 15:57 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Sunbelt Software
2008-05-27 15:56 . 2008-05-27 15:56 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-05-23 10:20 . 2008-05-23 11:52 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-05-23 10:20 . 2008-05-23 10:20 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-05-23 10:20 . 2008-05-23 10:20 196,608 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 14:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 14:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-21 14:58 --------- d-----w C:\Documents and Settings\rpickering\Application Data\Vurv Express
2008-04-21 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:54 --------- d-----w C:\Program Files\Vurv Express
2008-04-21 14:54 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-15 19:41 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-14 19:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 14:36 --------- d-----w C:\Program Files\Common Files\UAI
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\ht ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"StartCounterSpyIconApp"="C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe" [2007-12-21 13:19 711152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Client Management Components.lnk - C:\Program Files\SEDC\ClientManagement\AppLauncher.exe [2005-03-04 20:27:56 24576]
SEDC Client Settings.lnk - C:\Program Files\SEDC\ClientManagement\UtilityLauncher.exe [2006-06-28 08:46:26 20480]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-06-28 14:30:02 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-02 11:18]
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 12:38]
R2 CounterSpyAgent;CounterSpyAgent;"C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe" [2007-12-21 13:19]
R2 SEDC Deployment Service;SEDC Deployment Service;c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe [2007-10-12 05:14]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 VPREMOTE;VPRemote Install Bootstrap Service;C:\TEMP\Clt-Inst\vpremote.exe []

*Newly Created Service* - DPPCZUZA
*Newly Created Service* - SBAPIFS
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL2k\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\MSSQL2k\MSSQL\Binn\sqlagent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\DeploymentServiceModule.exe
C:\Program Files\SEDC\ClientVerificationComponent\v1.0.0.0711\ClientVerificationComponent.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\ClientManager.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-06-05 12:28:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 17:28:20
ComboFix2.txt 2008-06-05 13:59:42

Pre-Run: 10,371,391,488 bytes free
Post-Run: 10,375,270,400 bytes free

173
  • 0

#8
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30, on 2008-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\mssql2k\MSSQL\binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\DeploymentServiceModule.exe
C:\Program Files\SEDC\ClientVerificationComponent\v1.0.0.0711\ClientVerificationComponent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\ClientManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beci.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Client Management Components.lnk = C:\Program Files\SEDC\ClientManagement\AppLauncher.exe
O4 - Global Startup: SEDC Client Settings.lnk = C:\Program Files\SEDC\ClientManagement\UtilityLauncher.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.devl9000
O15 - Trusted IP range: 10.20.30.8
O15 - Trusted IP range: http://10.20.30.8
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191688457629
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191688445504
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\Software\..\Telephony: DomainName = coop.beci.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop.beci.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F24EA4E-82E5-4053-BB05-0865FA3C03A6}: NameServer = 10.20.30.9,10.20.30.2
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lync USB Auditor Service (LyncUSBServ) - Lync Software Pty Ltd - C:\WINDOWS\system32\lyncusb.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SEDC Deployment Service - - c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

--
End of file - 6471 bytes


Thanks again!!!
  • 0

#9
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi fozzy182,

Looks better... do you by chance know what this folder was for? svogxfyu

Step 1. Making a CFScript

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Folder::
 C:\Program Files\ht
 Driver::
 DPPCZUZA
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 2. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply

Please post the log from Combofix.
Please post the log from MBAM.

If the logs are to big to fit in one reply please spread them out over multiple replies.
  • 0

#10
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-06-04.5 - rpickering 2008-06-05 15:14:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.373 [GMT -5:00]
Running from: C:\Documents and Settings\rpickering\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rpickering\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ht

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DPPCZUZA


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 15:14 . 2008-06-05 15:14 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-06-05 15:14 . 2008-06-05 15:14 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-06-05 12:08 . 2007-12-21 13:19 27,120 --a------ C:\WINDOWS\system32\SBBD.exe
2008-06-04 10:07 . 2008-06-04 10:12 <DIR> d-------- C:\!KillBox
2008-06-04 09:18 . 2008-06-04 09:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-04 09:17 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-06-04 08:33 . 2008-06-04 08:42 <DIR> d-------- C:\Program Files\Citrix
2008-06-03 16:04 . 2008-06-03 16:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 15:47 . 2008-06-03 15:47 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Malwarebytes
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 14:57 . 2008-06-03 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 12:10 . 2008-06-03 14:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-03 12:04 . 2008-06-03 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-06-03 11:56 . 2008-06-03 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-02 11:18 . 2008-06-02 11:18 15,280 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-06-02 10:16 . 2008-06-03 11:09 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Lavasoft
2008-06-02 09:27 . 2008-06-03 11:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 09:27 . 2008-06-03 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 15:57 . 2008-05-27 15:57 <DIR> d-------- C:\Documents and Settings\rpickering\Application Data\Sunbelt Software
2008-05-27 15:56 . 2008-05-27 15:56 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-05-23 10:20 . 2008-05-23 11:52 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-05-23 10:20 . 2008-05-23 10:20 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-05-23 10:20 . 2008-05-23 10:20 196,608 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 14:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 14:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-21 14:58 --------- d-----w C:\Documents and Settings\rpickering\Application Data\Vurv Express
2008-04-21 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:54 --------- d-----w C:\Program Files\Vurv Express
2008-04-21 14:54 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-15 19:41 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-14 19:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 14:36 --------- d-----w C:\Program Files\Common Files\UAI
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"StartCounterSpyIconApp"="C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe" [2007-12-21 13:19 711152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Client Management Components.lnk - C:\Program Files\SEDC\ClientManagement\AppLauncher.exe [2005-03-04 20:27:56 24576]
SEDC Client Settings.lnk - C:\Program Files\SEDC\ClientManagement\UtilityLauncher.exe [2006-06-28 08:46:26 20480]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-06-28 14:30:02 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-02 11:18]
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 12:38]
R2 CounterSpyAgent;CounterSpyAgent;"C:\Program Files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe" [2007-12-21 13:19]
R2 SEDC Deployment Service;SEDC Deployment Service;c:\program files\sedc\clientmanagement\v1.5.1.0711\sedcdeploymentservice.exe [2007-10-12 05:14]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 VPREMOTE;VPRemote Install Bootstrap Service;C:\TEMP\Clt-Inst\vpremote.exe []

*Newly Created Service* - SBAPIFS
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL2k\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\DeploymentServiceModule.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\SEDC\ClientManagement\v1.5.1.0711\ClientManager.exe
C:\Program Files\SEDC\ClientVerificationComponent\v1.0.0.0711\ClientVerificationComponent.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\OINFOP11.EXE
.
**************************************************************************
.
Completion time: 2008-06-05 15:21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 20:21:36
ComboFix2.txt 2008-06-05 17:28:26
ComboFix3.txt 2008-06-05 13:59:42

Pre-Run: 10,354,450,432 bytes free
Post-Run: 10,347,876,352 bytes free

135
  • 0

Advertisements


#11
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I honestly don't know what that folder was.


Malwarebytes' Anti-Malware 1.14
Database version: 829

03:36:03 2008-06-05
mbam-log-6-5-2008 (03-36-03).txt

Scan type: Quick Scan
Objects scanned: 44051
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#12
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
hello again,

Let's see if we have any leftovers.

Step 1. Running ATF Cleaner

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 2. Running Kaspersky Online Virusscaner

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

How is your computer running now? If you have any issues please describe them a bit for me.
  • 0

#13
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Everything seems to be running smooth.No more redirects, or pop-up messages, etc.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-06-06 09:42
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 833663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
E:\

Scan Statistics:
Total number of scanned objects: 26570
Number of viruses found: 2
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:24:58

Infected Object Name / Virus Name / Last Action
C:\!KillBox\dspropj.dll Infected: Rootkit.Win32.Podnuha.dl skipped
C:\!KillBox\lqjrcml.dll Infected: Trojan.Win32.Obfuscated.avw skipped
C:\!KillBox\lqjrcml.dll( 1) Infected: Trojan.Win32.Obfuscated.avw skipped
C:\!KillBox\lqjrcml.dll( 2) Infected: Trojan.Win32.Obfuscated.avw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\rpickering\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\Application Data\ApplicationHistory\ClientManager.exe.b45c78b1.ini.inuse Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\Temp\lmgrd9.log Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\Temp\Perflib_Perfdata_a34.dat Object is locked skipped
C:\Documents and Settings\rpickering\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rpickering\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\rpickering\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\uaserver\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\uaserver\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\uaserver\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\uaserver\ntuser.dat.LOG Object is locked skipped
C:\flexlm\ARCGIS Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_ESTIMATION_DAT.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_ESTIMATION_log.LDF Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_EXISTING_DAT.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_EXISTING_log.LDF Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_PROPOSED_DAT.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_PROPOSED_log.LDF Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_READONLY_DAT.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_READONLY_log.LDF Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_SKETCH_DAT.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\BECI20_SKETCH_log.LDF Object is locked skipped
C:\MSSQL2k\MSSQL\Data\beci20_WORKING_DAT.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\beci20_WORKING_log.LDF Object is locked skipped
C:\MSSQL2k\MSSQL\Data\master.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\model.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\modellog.ldf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\northwnd.ldf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\northwnd.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\pubs.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\pubs_log.ldf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\MSSQL2k\MSSQL\Data\templog.ldf Object is locked skipped
C:\MSSQL2k\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\MSSQL2k\MSSQL\LOG\SQLAGENT.OUT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\SEDC\ClientManagement\Logs\CVC_RONNIEP_06062008_1.txt Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080604-085654-537.dll Infected: Trojan.Win32.Obfuscated.avw skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080604-100513-730.dll Infected: Rootkit.Win32.Podnuha.dl skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080604-100513-959.dll Infected: Trojan.Win32.Obfuscated.avw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\dppczuza.sys.vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{60C21970-5D46-4CC2-AEF5-7188CAA79D3D}\RP15\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\lqjrcml.dll.bak Infected: Trojan.Win32.Obfuscated.avw skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_728.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_bb8.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{60C21970-5D46-4CC2-AEF5-7188CAA79D3D}\RP15\change.log Object is locked skipped

Scan process completed.
  • 0

#14
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there fozzy182,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\lqjrcml.dll.bak 
Folder::
C:\!KillBox
C:\Program Files\Trend Micro\HijackThis\backups
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

And your logs are clean :)

Step 1. Removing ComboFix

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.


Step 2. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 3. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#15
fozzy182

fozzy182

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Everything looks great.Thanks for all your help in the matter!!!!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP