[Onaipian]

In a hurry, so can't give too many details, but this is pretty much what we did with OTL, but stronger. Should do the trick.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
c:\windows\$NtServicePackUninstall$\ws2help.dll | c:\windows\system32\ws2help.dll
c:\windows\$NtServicePackUninstall$\ws2help.dll | C:\WINDOWS\ServicePackFiles\i386\ws2help.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Advertisements]

Hi piano9playa5,

Thanks again for your help. When I ran Combofix I noticed several pop-up warnings from MSSE despite having turned off real time protection. At first they were red, warning of an infection & at the end of Combofixes run they were green saying it was cleared.

I notice references to Lavasoft Ad-Aware in the Reg Loading Points section of the ComboFix log. Why would they be there when I uninstalled Ad-aware about a month ago?

Here is the ComboFix log:

ComboFix 10-06-27.03 - Bob 28/06/2010 10:00:07.5.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1014.705 [GMT -7:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript (2).txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\ws2help.dll --> c:\windows\system32\ws2help.dll
c:\windows\$NtServicePackUninstall$\ws2help.dll --> c:\windows\ServicePackFiles\i386\ws2help.dll
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-27 21:50 . 2010-06-27 21:50 -------- d-----w- c:\program files\ESET
2010-06-27 21:08 . 2010-06-27 21:08 -------- d-----w- C:\_OTL
2010-06-26 20:20 . 2010-06-26 20:20 -------- d-----w- c:\program files\ERUNT
2010-06-26 00:13 . 2010-06-26 03:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-26 00:10 . 2010-06-26 00:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-25 23:24 . 2010-06-25 23:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-25 23:23 . 2010-06-25 23:23 49832 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 18:39 . 2010-06-23 18:39 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\PCHealth
2010-06-23 17:40 . 2010-06-23 17:40 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-23 17:39 . 2010-06-23 17:39 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-19 22:17 . 2010-06-19 22:17 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-06-19 21:59 . 2010-06-19 21:59 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-06-15 13:36 . 2010-06-15 13:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-11 16:08 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 16:30 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-07 16:25 . 2010-06-07 16:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-07 16:18 . 2010-06-07 16:21 -------- d-----w- C:\aca1ff106c2e1501f6cd758313
2010-06-02 14:06 . 2010-06-06 17:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-02 14:06 . 2010-06-02 14:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-02 13:58 . 2010-06-07 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-02 05:13 . 2010-06-02 05:13 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2010-06-02 05:13 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 05:13 . 2010-06-02 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-02 05:13 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 05:13 . 2010-06-02 05:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 03:32 . 2010-06-02 03:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-01 00:18 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 00:18 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 00:18 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-06-01 00:18 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-06-01 00:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-01 00:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-06-01 00:16 . 2010-06-01 00:17 -------- d-----w- c:\documents and settings\Bob\Application Data\F000C4F5F6F64F7606AD22A91FCBDEEB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 00:20 . 2010-04-18 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 17:54 . 2006-07-28 21:27 49832 -c--a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 15:58 . 2009-03-10 19:19 -------- d-----w- c:\program files\Symantec
2010-06-07 15:58 . 2006-07-28 14:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-04 17:12 . 2006-02-21 13:50 -------- d-----w- c:\program files\Common Files\Java
2010-06-04 17:11 . 2010-06-02 23:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-04 17:11 . 2010-06-04 17:11 -------- d-----w- c:\program files\Java
2010-06-03 20:28 . 2008-01-24 06:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 00:00 . 2010-06-03 00:00 -------- d-----w- c:\program files\Trend Micro
2010-06-02 23:32 . 2010-06-02 23:32 503808 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d0923bd-n\msvcp71.dll
2010-06-02 23:32 . 2010-06-02 23:32 499712 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d0923bd-n\jmc.dll
2010-06-02 23:32 . 2010-06-02 23:32 348160 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d0923bd-n\msvcr71.dll
2010-06-02 23:31 . 2010-06-02 23:31 61440 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4fb103f2-n\decora-sse.dll
2010-06-02 23:31 . 2010-06-02 23:31 12800 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4fb103f2-n\decora-d3d.dll
2010-06-02 14:06 . 2010-06-03 00:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-01 00:18 . 2008-09-22 19:34 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 02:58 . 2010-05-21 02:56 -------- d-----w- c:\program files\QuickTime
2010-05-21 02:56 . 2010-05-21 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-06 10:41 . 2006-02-21 08:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-02-21 08:37 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 04:33 . 2007-02-04 15:40 -------- d-----w- c:\documents and settings\Bob\Application Data\Skype
2010-04-20 05:30 . 2006-02-21 08:37 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 09:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Live Sync"="c:\program files\Windows Live\Sync\WindowsLiveSync.exe" [2009-10-23 1171784]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"TFncKy"="TFncKy.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"NDSTray.exe"="NDSTray.exe" [BU]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-31 811008]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-21 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/06/2010 07:06 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\Drivers\DlinkUDSMBus.sys --> c:\windows\system32\Drivers\DlinkUDSMBus.sys [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [19/04/2004 15:01 6656]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-21 c:\windows\Tasks\User_Feed_Synchronization-{4F692028-28AD-499A-B381-A26DED356087}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weatheroffice.gc.ca/city/pages/bc-74_metric_e.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: aircanada.com\travel
Trusted Zone: cbc.ca
Trusted Zone: dailylit.com
Trusted Zone: google.com
Trusted Zone: google.com\mail
Trusted Zone: live.com
Trusted Zone: microsoft.com\www.update
Trusted Zone: yahoo.com
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {958FCAB0-616B-11D3-A63F-00001B322780} - hxxp://www.timeticker.com/Timeset/TcpServer.CAB
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://designcentre.amestile.com/database/combo1.0.6.0614.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 10:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1148)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2010-06-28 10:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-28 17:16
ComboFix2.txt 2010-06-28 16:46
ComboFix3.txt 2010-06-28 03:34

Pre-Run: 38,452,293,632 bytes free
Post-Run: 38,444,544,000 bytes free

- - End Of File - - B0339903E409828A3DA2D2CEF5F4C30A


Bob

[Bob2010]

Hi piano9playa5,

Thanks again for your help. When I ran Combofix I noticed several pop-up warnings from MSSE despite having turned off real time protection. At first they were red, warning of an infection & at the end of Combofixes run they were green saying it was cleared.

I notice references to Lavasoft Ad-Aware in the Reg Loading Points section of the ComboFix log. Why would they be there when I uninstalled Ad-aware about a month ago?

Here is the ComboFix log:

ComboFix 10-06-27.03 - Bob 28/06/2010 10:00:07.5.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1014.705 [GMT -7:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript (2).txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\ws2help.dll --> c:\windows\system32\ws2help.dll
c:\windows\$NtServicePackUninstall$\ws2help.dll --> c:\windows\ServicePackFiles\i386\ws2help.dll
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-27 21:50 . 2010-06-27 21:50 -------- d-----w- c:\program files\ESET
2010-06-27 21:08 . 2010-06-27 21:08 -------- d-----w- C:\_OTL
2010-06-26 20:20 . 2010-06-26 20:20 -------- d-----w- c:\program files\ERUNT
2010-06-26 00:13 . 2010-06-26 03:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-26 00:10 . 2010-06-26 00:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-25 23:24 . 2010-06-25 23:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-25 23:23 . 2010-06-25 23:23 49832 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 18:39 . 2010-06-23 18:39 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\PCHealth
2010-06-23 17:40 . 2010-06-23 17:40 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-23 17:39 . 2010-06-23 17:39 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-19 22:17 . 2010-06-19 22:17 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-06-19 21:59 . 2010-06-19 21:59 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-06-15 13:36 . 2010-06-15 13:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-11 16:08 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 16:30 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-07 16:25 . 2010-06-07 16:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-07 16:18 . 2010-06-07 16:21 -------- d-----w- C:\aca1ff106c2e1501f6cd758313
2010-06-02 14:06 . 2010-06-06 17:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-02 14:06 . 2010-06-02 14:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-02 13:58 . 2010-06-07 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-02 05:13 . 2010-06-02 05:13 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2010-06-02 05:13 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 05:13 . 2010-06-02 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-02 05:13 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 05:13 . 2010-06-02 05:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 03:32 . 2010-06-02 03:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-01 00:18 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 00:18 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 00:18 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-06-01 00:18 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-06-01 00:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-01 00:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-06-01 00:16 . 2010-06-01 00:17 -------- d-----w- c:\documents and settings\Bob\Application Data\F000C4F5F6F64F7606AD22A91FCBDEEB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 00:20 . 2010-04-18 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 17:54 . 2006-07-28 21:27 49832 -c--a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 15:58 . 2009-03-10 19:19 -------- d-----w- c:\program files\Symantec
2010-06-07 15:58 . 2006-07-28 14:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-04 17:12 . 2006-02-21 13:50 -------- d-----w- c:\program files\Common Files\Java
2010-06-04 17:11 . 2010-06-02 23:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-04 17:11 . 2010-06-04 17:11 -------- d-----w- c:\program files\Java
2010-06-03 20:28 . 2008-01-24 06:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 00:00 . 2010-06-03 00:00 -------- d-----w- c:\program files\Trend Micro
2010-06-02 23:32 . 2010-06-02 23:32 503808 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d0923bd-n\msvcp71.dll
2010-06-02 23:32 . 2010-06-02 23:32 499712 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d0923bd-n\jmc.dll
2010-06-02 23:32 . 2010-06-02 23:32 348160 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d0923bd-n\msvcr71.dll
2010-06-02 23:31 . 2010-06-02 23:31 61440 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4fb103f2-n\decora-sse.dll
2010-06-02 23:31 . 2010-06-02 23:31 12800 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4fb103f2-n\decora-d3d.dll
2010-06-02 14:06 . 2010-06-03 00:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-01 00:18 . 2008-09-22 19:34 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 02:58 . 2010-05-21 02:56 -------- d-----w- c:\program files\QuickTime
2010-05-21 02:56 . 2010-05-21 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-06 10:41 . 2006-02-21 08:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-02-21 08:37 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 04:33 . 2007-02-04 15:40 -------- d-----w- c:\documents and settings\Bob\Application Data\Skype
2010-04-20 05:30 . 2006-02-21 08:37 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 09:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Live Sync"="c:\program files\Windows Live\Sync\WindowsLiveSync.exe" [2009-10-23 1171784]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"TFncKy"="TFncKy.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"NDSTray.exe"="NDSTray.exe" [BU]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-31 811008]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-21 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/06/2010 07:06 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\Drivers\DlinkUDSMBus.sys --> c:\windows\system32\Drivers\DlinkUDSMBus.sys [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [19/04/2004 15:01 6656]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-21 c:\windows\Tasks\User_Feed_Synchronization-{4F692028-28AD-499A-B381-A26DED356087}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weatheroffice.gc.ca/city/pages/bc-74_metric_e.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: aircanada.com\travel
Trusted Zone: cbc.ca
Trusted Zone: dailylit.com
Trusted Zone: google.com
Trusted Zone: google.com\mail
Trusted Zone: live.com
Trusted Zone: microsoft.com\www.update
Trusted Zone: yahoo.com
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {958FCAB0-616B-11D3-A63F-00001B322780} - hxxp://www.timeticker.com/Timeset/TcpServer.CAB
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://designcentre.amestile.com/database/combo1.0.6.0614.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 10:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1148)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2010-06-28 10:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-28 17:16
ComboFix2.txt 2010-06-28 16:46
ComboFix3.txt 2010-06-28 03:34

Pre-Run: 38,452,293,632 bytes free
Post-Run: 38,444,544,000 bytes free

- - End Of File - - B0339903E409828A3DA2D2CEF5F4C30A


Bob

[Bob2010]

Hi piano9play5,

I haven't had a lot of time today to check, but it looks like that last ComboFix was successful! I am able to boot into Normal mode, have good internet access, & no more warnings from MSSE. So far it looks like all is well.

Thank you so much! Looking forward to your further instructions.

Bob

[Onaipian]

That's great news.

Those are leftovers. Uninstallers tend to leave bits behind. I'll remove them, but I just want to verify: you no longer use SunBelt, Ad-Aware or Norton, correct?

Run a full scan with MSSE (Micrsoft Security Essentials). I'm not sure if there's a log option, but let me know the results.

[Bob2010]

Hi,

A full MSSE scan revealed the culprit is still present in two locations.
I was nervous about asking it to "Clean" as it was ineffective with the onset of the problem. However, as I was fiddling about trying to figure out how to put a screen shot in here (no reports from MSSE)it went ahead & "disinfected. MSSE says it was successful in removing them but I haven't done a reboot yet. It won't let me copy the info but I'll transcribe from the sreen shot- Both infections are Virus:Win32/Patched.H.

One is in file:C:\Qoobox\Quarantine\C\Windows\system32\ws2help.dll.vir

The second is in file:C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP22\A0008653.dll

I have a Word document with the screen shots but am unable to attach it, I think because they're too large. Let me know if you want the screen shots & I will try to figure out how to get them in a reply


As to the cleanup of leftovers. You are coreect; I no longer use Ad-Aware or Norton. I don't recall ever using SunBelt (or what it is) so that must mean it can go too.

Thanks,
Bob

[Bob2010]

Attached are the screenshots from MSSE. Hope they're legible.

Bob

Attached Thumbnails

• 
• 

[Onaipian]

One's in System Restore, the other in Quarantine.
I think that the Sunbelt files were a part of Lavasoft, by the looks of when they were installed (seconds after the other files )

Run OTL (Double click to run)

• Under the Custom Scans/Fixes box at the bottom, paste in the following:
  
  

  :OTL
  DRV - [2010/06/06 10:45:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  [2010/06/02 07:06:25 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
  [2010/06/02 07:06:21 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
  [2010/06/02 06:58:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
  [2010/06/02 07:06:15 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
  [2010/06/02 07:06:09 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
  
  :Services
  Lavasoft Ad-Aware Service
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, and accept to reboot when it's finished.
• I don't need to see anymore logs

Is everything good? (Aside from the two files that MSSE is spotting - I'll take care of those next post)

[Bob2010]

I have run the OTL fix.

Everything is good ! Things have been running well today with no problems.

Thank you so much!

Bob

[Onaipian]

No problem



You're in the All Clear! Here are a few cleanup procedures that are a must after malware removal. Also, I have a few program recommendations I like to suggest.


System Restore
System Restore creates snapshots of your computer, called Restore Points, so that in the event something goes wrong, you can restore your computer to an earlier date. Viruses would have gotten got in the Restore Point snapshots also and can reinfect you if you restore to an infected date. Clearing the Restore Points and making a new one is essential after removal:

• Open OTL.
• Under the Custom Scans/Fixes box at the bottom, paste in the following:
  

  :commands
  [CLEARALLRESTOREPOINTS]

• Then click the Run Fix button at the top.
• You may or may not be asked to reboot. In any case, I don't need the log that follows.

Removal of Removal-Tools
This is to make sure that tools that any powerful tools we used aren't left behind and to make sure that if you ever get reinfected, you will download all the most recent tools.

• Open OTL.
• In the top right corner will be a button called "Clean Up!"; click it.
• Follow any prompts, and reboot when prompted.
• OTL will be gone on startup also. Delete any logs or leftover tools manually.

Windows Updates
You should visit Windows Update about once a month, to receive Security Fixes, Hot Fixes and Service Packs. These are all important to fix things like bugs to vulnerabilities which could lead to infection.

Go to Tools > Windows Update, within Internet Explorer

• Click Express. It will check for updates for your computer.
• Click Install Updates. A windows should pop up giving the status of each update.
• Reboot when prompted.

If you're feeling lazy you can turn on Automatic Updates which will do the work for you.

• Click Start, then Control Panel
• Click Automatic Updates
• Check Automatic (Recommended)
• Ok your way out.

More information about Windows Updates and clear configuration instructions can be found here.




Prevention Programs and Practices

• Two AntiSpyware \ AntiMalware programs that are effective, easy to use, and free. A weekly scanning with one or both of these tools can be very useful in preventing\removing a wide variety of infections. I strongly recommend these products:
  • MalwareBytes' Anti-Malware
  • SUPERantispyware
• The following are two alternative web-browsers. Both are great choices (And can be installed and used with Internet Explorer still present!) You may wish to experiment with the two, to decide which you prefer.
  
  • Firefox
  • Opera
• Cleans out temporary files safely and effective. It does not clean out URL history, prefetch, or cookies.
  
  • TFC - Temp File Cleaner
• Keep your programs and applications up to date. This is important, not only for content, but for vulnerability-fixes. Here are a few you should definitely keep up-to-date if you have them:
  • Java
  • Adobe Reader
  • Adobe Flash Player

If you are wondering how you got infected in the first place please visit this cool page called:
How did I get infected in the first place?

Glad I could help, piano9playa5

[Bob2010]

Thank you very much for all your help!!

One final question: I have been relying on Windows Firewall since switching to MSSE. Is that sufficient or should I be using another firewall? Any recommendations?

Thanks,
Bob

[Onaipian]

Ah yes, I forgot to mention that! (thank you) Windows Firewall isn't enough.

A Firewall is an important piece of your computers security! It's purpose is to block unwanted traffic --Hackers, Worms, some Trojan Horses, etc.-- from accessing your computer. A Firewall can block unauthorized data from being stolen, and will play a large part in keeping your computer infection-free. Luckily, Firewalls can be found for free, and will provide protection that is just as good as a paid solution. Some nice, and free, Firewall products are:

• Comodo - Choose only the firewall during installation
• Online Armor Free

Please note that although it seems a good idea to have more than one Firewall, having multiple Firewall products will decrease security, and may cause conflicts. It is recommended to install and run one at a time to avoid these conflicts which may LOWER security.

Edited by piano9playa5, 30 June 2010 - 12:17 PM.

[Bob2010]

Thanks.

I'm beefing up my defenses now!

Bob

[Onaipian]

[Onaipian]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.