Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Think Vundo is gone -- EXCEPT.... [RESOLVED]

Started by tinat , Jan 18 2008 01:58 PM

  • This topic is locked This topic is locked

#1
tinat
Posted 18 January 2008 - 01:58 PM

tinat

    New Member

  • Member
  • Pip
  • 7 posts
Several days ago, my Avast AV popped up and said I was infected by a trojan. Then it said several trojans. Apparently it started with Vundo and others followed.

Sorry, my mom went through my room and threw out many of my notes a day or two ago, but I did find one scrap of paper that I had scribbled on that mentioned Qdrmodulell.exe (which ZoneAlarm kept telling me was trying to access the internet, I denied access) and Jkhfe.dll

Avast couldn't handle it all, so ended up do a number of scans with a number of online resources, including SuperAntispyware Free edition; F-Secure (which seemed to work well); Spybot; Prevxcsifree; FixVundo; VundoFix and VirtumundoBeGone.

Most were run in SafeMode.

I also ran SDFIX, and followed it all up with CCleaner, both to clean system and to fix registry. All seems to be working well now, and subsequent scans are clean, EXCEPT when I startup my system now and log-in, I get a box telling me that the file Jkhfe.dll cannot be found in the registry. I "X" out of that box and everything seems to work.

However, it makes me think that there still is something in my computer left over from all the trouble.

Here is my HJT Log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:59 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\BearShare\BearShare .exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhfe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare .exe" /pause
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189012142609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189012134078
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall....ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-sec...3beta/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {C6D25826-96AE-462F-A852-BB33B882B723} (SFImageUpload1_4.ImageUpload) - http://fredmeyer.sto...geUpload1_4.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...364/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8451 bytes
  • 0

Advertisements

#2
tinat
Posted 18 January 2008 - 02:13 PM

tinat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's what AVAST was showing during all this, if it helps:
/8/2008 10:01:16 PM jenny1 1540 Sign of "Win32:Trojan-gen {VB}" has been found in "C:\WINDOWS\system32\Winload.exe" file.
1
/8/2008 10:01:17 PM jenny1 1540 Sign of "Win32:Trojan-gen {VB}" has been found in "C:\WINDOWS\system32\Winload32.exe" file.

1/13/2008 10:54:11 AM jenny1 1540 Sign of "Win32:Trojan-gen {VB}" has been found in "C:\WINDOWS\system32\Winload.exe" file.

1/13/2008 10:54:12 AM jenny1 1540 Sign of "Win32:Trojan-gen {VB}" has been found in "C:\WINDOWS\system32\Winload32.exe" file.

1/13/2008 3:12:48 PM jenny1 1540 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\BIT18D.tmp" file.

1/13/2008 3:18:01 PM jenny1 1540 Sign of "Win32:Small-IKZ [Trj]" has been found in "C:\WINDOWS\system32\BIT193.tmp\[UPX]" file.

1/13/2008 3:23:58 PM jenny1 1540 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkklj.dll" file.

1/13/2008 3:37:37 PM jenny1 1540 Sign of "Win32:CTX" has been found in "http://www.nanoscan.com/as/cabs/ascguiie.cab\pskavs.dll" file.

1/13/2008 3:38:00 PM jenny1 1540 Sign of "Win32:CTX" has been found in "C:\Program Files\Panda Security\TotalScan\SET1FE.tmp" file.

1/13/2008 3:38:05 PM jenny1 1540 Sign of "Win32:CTX" has been found in "C:\Program Files\Panda Security\TotalScan\SET1FF.tmp" file.

1/13/2008 3:38:08 PM jenny1 1540 Sign of "Win32:CTX" has been found in "C:\Program Files\Panda Security\TotalScan\pskavs.dll" file.

1/13/2008 5:19:43 PM jenny1 1540 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:48:59 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:00 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:00 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:00 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:00 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:00 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:06 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:07 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:08 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:49:10 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:56:02 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:56:02 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:56:03 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:56:03 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 6:56:04 PM jenny1 1532 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkhfe.dll" file.

1/13/2008 11:58:27 PM jenny1 1504 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\BearShare\BEARSHARE.0XE\[Embedded#3289f8]" file.

1/13/2008 11:59:54 PM jenny1 1504 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\Common Files\Dell\EUSW\SUPPORT.0XE\[Embedded#3cea0]" file.

1/14/2008 12:02:27 AM jenny1 1504 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\Common Files\Pure Networks Shared\Platform\NMCTXTH.0XE\[Embedded#6f4dc]" file.

1/14/2008 12:02:54 AM jenny1 1504 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\Common Files\Real\Update_OB\REALSCHED.0XE\[Embedded#25d50]" file.
\
1/14/2008 12:06:31 AM jenny1 1504 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\iTunes\ITUNESHELPER.0XE\[Embedded#43ed0]" file.

1/14/2008 12:08:24 AM jenny1 1504 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\Java\jre1.5.0_10\bin\JUSCHED.0XE\[Embedded#0cd90]" file.
  • 0

#3
Essexboy
Posted 18 January 2008 - 04:17 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there it looks like you have the latest variant which is extremely sneaky - so lets have at it :)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhfe.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Just to make sure the file is gone

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\jkhfe.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Logs required : OTMoveit and Combofix
  • 0

#4
tinat
Posted 18 January 2008 - 10:25 PM

tinat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
THANKS for the quick reply. I made the change after running HJT again.

And after running HJT and making the "fix," here is the Old Timer MoveIt Log:

File/Folder C:\WINDOWS\system32\jkhfe.exe not found.

OTMoveIt2 v1.0.8 log created on 01182008_194327

And here is the COMBOFIX LOG:

> ComboFix 08-01-18.5 - jenny1 2008-01-18 19:56:30.1 - NTFSx86
> Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.726 [GMT
> -8:00]
> Running from: C:\Documents and Settings\jenny1\Desktop\ComboFix.exe
> * Created a new restore point
>
> WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE
> INSTALLED !!
> .
>
> ((((((((((((((((((((((((((((((((((((((( Other Deletions
> )))))))))))))))))))))))))))))))))))))))))))))))))
> .
>
> C:\Program Files\ISM
> C:\Program Files\ISM\ism.exe
> C:\Program Files\ISM\Uninstall.exe
> C:\Program Files\QdrDrive
> C:\Program Files\QdrDrive\qdrloader.exe
> C:\Program Files\QdrModule
> C:\WINDOWS\Downloaded Program Files\rave
> C:\WINDOWS\Downloaded Program Files\rave\avirexe.vdm
> C:\WINDOWS\Downloaded Program Files\rave\avirscr.vdm
> C:\WINDOWS\Downloaded Program Files\rave\base.vdm
> C:\WINDOWS\Downloaded Program Files\rave\daily.vdm
> C:\WINDOWS\Downloaded Program Files\rave\daily.vdt
> C:\WINDOWS\Downloaded Program Files\rave\filters.vdm
> C:\WINDOWS\Downloaded Program Files\rave\kernel.vdk
> C:\WINDOWS\Downloaded Program Files\rave\keyring.vdk
> C:\WINDOWS\Downloaded Program Files\rave\mapi_vdm.vdm
> C:\WINDOWS\Downloaded Program Files\rave\modules.vdk
> C:\WINDOWS\Downloaded Program Files\rave\rav8def.vdm
> C:\WINDOWS\Downloaded Program Files\rave\rufs.vdm
> C:\WINDOWS\Downloaded Program Files\rave\rufsplg.vdm
> C:\WINDOWS\Downloaded Program Files\rave\unarch.vdm
> C:\WINDOWS\Downloaded Program Files\rave\unmail.vdm
> C:\WINDOWS\Downloaded Program Files\rave\unpack.vdm
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
>
> .
> ((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19
> )))))))))))))))))))))))))))))))
> .
>
> 2008-01-18 19:55 . 2000-08-31 08:00 51,200 --a------
> C:\WINDOWS\NirCmd.exe
> 2008-01-16 15:22 . 2008-01-16 15:22 <DIR> d--------
> C:\WINDOWS\ERUNT
> 2008-01-14 15:06 . 2008-01-14 15:07 <DIR> d--------
> C:\Documents and Settings\jenny1\Application Data\PrevxCSI
> 2008-01-14 15:06 . 2008-01-14 15:06 <DIR> d--------
> C:\Documents and Settings\All Users\Application Data\Prevx
> 2008-01-14 12:41 . 2007-06-05 10:56 44,928 --a------
> C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
> 2008-01-14 11:27 . 2007-09-24 23:31 69,632 --a------
> C:\WINDOWS\SYSTEM32\javacpl.cpl
> 2008-01-14 00:25 . 2008-01-14 00:25 <DIR> d--------
> C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
> 2008-01-13 19:08 . 2008-01-13 19:08 <DIR> d--------
> C:\fsaua.data
> 2008-01-13 18:22 . 2008-01-14 15:15 <DIR> d--------
> C:\Program Files\SUPERAntiSpyware
> 2008-01-13 18:22 . 2008-01-13 18:22 <DIR> d--------
> C:\Documents and Settings\jenny1\Application Data\SUPERAntiSpyware.com
> 2008-01-13 18:22 . 2008-01-13 18:22 <DIR> d--------
> C:\Documents and Settings\All Users\Application
> Data\SUPERAntiSpyware.com
> 2008-01-13 18:21 . 2008-01-13 18:21 <DIR> d--------
> C:\Program Files\Common Files\Wise Installation Wizard
> 2008-01-13 17:52 . 2008-01-13 17:52 <DIR> d--------
> C:\Program Files\Trend Micro
> 2008-01-13 17:30 . 2008-01-13 21:57 <DIR> d--------
> C:\VundoFix Backups
> 2008-01-13 16:24 . 2008-01-13 18:47 7,121 --ahs----
> C:\WINDOWS\SYSTEM32\efhkj.ini
> 2008-01-13 16:24 . 2008-01-13 18:46 6,989 --ahs----
> C:\WINDOWS\SYSTEM32\efhkj.ini2
> 2008-01-10 22:45 . 2008-01-13 15:12 54,156 --ah-----
> C:\WINDOWS\QTFont.qfn
> 2008-01-10 22:45 . 2008-01-10 22:45 1,409 --a------
> C:\WINDOWS\QTFont.for
> 2007-12-21 21:54 . 2007-12-21 21:54 286,288 --a------
> C:\WINDOWS\SYSTEM32\000080.exe
>
> .
> (((((((((((((((((((((((((((((((((((((((( Find3M Report
> ))))))))))))))))))))))))))))))))))))))))))))))))))))
> .
> 2008-01-19 04:12 12,779,552 --sha-w
> C:\WINDOWS\system32\drivers\fidbox.dat
> 2008-01-19 04:09 150,764 --sha-w
> C:\WINDOWS\system32\drivers\fidbox.idx
> 2008-01-18 20:15 --------- d-----w C:\Documents and
> Settings\All Users\Application Data\Spybot - Search & Destroy
> 2008-01-17 00:29 --------- d-----w C:\Program
> Files\SpywareGuard
> 2008-01-17 00:28 --------- d-----w C:\Program
> Files\SpywareBlaster
> 2008-01-14 21:28 --------- d-----w C:\Program
> Files\QuickTime
> 2008-01-14 19:27 --------- d-----w C:\Program Files\Java
> 2008-01-14 14:46 --------- d-----w C:\Program
> Files\Lavasoft
> 2008-01-14 08:06 --------- d-----w C:\Program Files\iTunes
> 2008-01-14 07:58 --------- d-----w C:\Program
> Files\BearShare
> 2008-01-14 04:47 --------- d-----w C:\Program Files\Panda
> Security
> 2008-01-14 04:35 --------- d-----w C:\Program
> Files\Microsoft IntelliPoint
> 2007-12-04 14:56 93,264 ----a-w
> C:\WINDOWS\system32\drivers\aswmon.sys
> 2007-12-04 14:55 94,544 ----a-w
> C:\WINDOWS\system32\drivers\aswmon2.sys
> 2007-12-04 14:53 23,152 ----a-w
> C:\WINDOWS\system32\drivers\aswRdr.sys
> 2007-12-04 14:51 42,912 ----a-w
> C:\WINDOWS\system32\drivers\aswTdi.sys
> 2007-12-04 14:49 26,624 ----a-w
> C:\WINDOWS\system32\drivers\aavmker4.sys
> 2007-12-04 04:49 --------- d-----w C:\Program Files\Pure
> Networks
> 2007-12-04 04:48 --------- d-----w C:\Program Files\Common
> Files\Pure Networks Shared
> 2007-12-04 04:48 --------- d-----w C:\Documents and
> Settings\All Users\Application Data\Pure Networks
> 2007-09-25 03:20 5,871 ----a-w C:\Program Files\Common
> Files\temp.html
> 2006-05-31 16:14 108,056 ----a-w C:\Program Files\Common
> Files\secman.dll
> 2006-03-12 02:09 626,176 ----a-w C:\Program Files\Common
> Files\osmax.ocx
> 2005-12-14 19:35 73,728 ------w C:\Documents and
> Settings\jenny1\SetupNI.dll
> 2007-07-07 04:42 88 --sh--r
> C:\WINDOWS\SYSTEM32\DB99A36B28.sys
> 2007-07-07 04:42 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
> .
> 
<pre>
> ----a-w			79,224 2008-01-14 02:48:58  C:\Program Files\Alwil
> Software\Avast4\ashDisp .exe
> ----a-w		 3,305,472 2008-01-14 02:49:20  C:\Program
> Files\BearShare\BearShare .exe
> ----a-w		   245,760 2008-01-14 02:56:03  C:\Program Files\Common
> Files\Dell\EUSW\Support .exe
> ----a-w		   451,896 2008-01-14 02:56:12  C:\Program Files\Common
> Files\Pure Networks Shared\Platform\nmctxth .exe
> ----a-w		   151,597 2008-01-14 02:56:01  C:\Program Files\Common
> Files\Real\Update_OB\realsched .exe
> ----a-w		   274,432 2008-01-14 02:56:06  C:\Program
> Files\iTunes\iTunesHelper .exe
> ----a-w			49,263 2008-01-14 02:56:06  C:\Program
> Files\Java\jre1.5.0_10\bin\jusched .exe
> ----a-w		   163,840 2008-01-14 02:56:04  C:\Program
> Files\Microsoft IntelliPoint\point32 .exe
> ----a-w		   451,896 2008-01-14 02:56:15  C:\Program Files\Pure
> Networks\Network Magic\nmapp .exe
> ----a-w		   282,624 2008-01-14 02:49:08  C:\Program
> Files\QuickTime\qttask .exe
> ----a-w		   114,741 2008-01-14 02:56:01 
> C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
> ----a-w		   196,608 2008-01-14 02:56:03 
> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb04 .exe
> </pre>
>
>
> ((((((((((((((((((((((((((((((((((((( Reg Loading Points
> ))))))))))))))))))))))))))))))))))))))))))))))))))
> .
> .
> *Note* empty entries & legit default entries are not shown
> REGEDIT4
>
> [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> "NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280
> C:\WINDOWS\SYSTEM32\rundll32.exe]
> "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880
> C:\WINDOWS\BCMSMMSG.exe]
> "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00
> 79224]
> "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
> [2007-09-06 16:14 919016]
> "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
> [2007-09-25 01:11 132496]
> "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-13
> 18:49 282624]
> "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
> [2007-09-06 16:14 919016]
> "BearShare"="C:\Program Files\BearShare\BearShare .exe" [2008-01-13
> 18:49 3305472]
> "nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe"
> [2007-10-29 22:04 451896]
>
> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
> Adobe Gamma Loader.lnk - C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-15 18:44:50]
> Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat
> 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
> Service Manager.lnk - C:\Program Files\Microsoft SQL
> Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]
>
> [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program
> Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
>
> [HKEY_LOCAL_MACHINE\software\microsoft\windows
> nt\currentversion\winlogon\notify\!SASWinLogon]
> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912
> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
>
> [HKEY_LOCAL_MACHINE\software\microsoft\shared
> tools\msconfig\startupreg\BearShare]
> C:\Program Files\BearShare\BearShare.exe
>
> [HKEY_LOCAL_MACHINE\software\microsoft\shared
> tools\msconfig\startupreg\QuickTime Task]
> C:\Program Files\QuickTime\qttask.exe
>
>
> .
> **************************************************************************
>
> catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by
> Gmer, http://www.gmer.net
> Rootkit scan 2008-01-18 20:12:07
> Windows 5.1.2600 Service Pack 2 NTFS
>
> scanning hidden processes ...
>
> scanning hidden autostart entries ...
>
> scanning hidden files ...
>
> scan completed successfully
> hidden files: 0
>
> **************************************************************************
> .
> Completion time: 2008-01-18 20:16:19 - machine was rebooted
> ComboFix-quarantined-files.txt 2008-01-19 04:16:15
>

And, here is the new HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:12 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL
Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program
Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no
file)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask
.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare
.exe" /pause
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network
Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft
SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) -
http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1189012142609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1189012134078
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX
6.5) -
http://us-housecall....ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online
Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller
Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online
Scanner 3.2) - http://support.f-sec...3beta/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {C6D25826-96AE-462F-A852-BB33B882B723}
(SFImageUpload1_4.ImageUpload) -
http://fredmeyer.sto...geUpload1_4.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj
Class) - http://h30043.www3.h.../qdiagh.cab?316
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...364/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software
- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation
- C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner -
C:\WINDOWS\system32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8222 bytes
  • 0

#5
Essexboy
Posted 19 January 2008 - 05:58 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi tinat when you post the logs can you ensure that notepad does not have word wrap selected

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\fsaua.data
C:\WINDOWS\SYSTEM32\efhkj.ini
C:\WINDOWS\SYSTEM32\efhkj.ini2
C:\WINDOWS\SYSTEM32\000080.exe

Renv::
<pre>
> ----a-w 79,224 2008-01-14 02:48:58 C:\Program Files\Alwil Software\Avast4\ashDisp .exe
> ----a-w 3,305,472 2008-01-14 02:49:20 C:\Program Files\BearShare\BearShare .exe
> ----a-w 245,760 2008-01-14 02:56:03 C:\Program Files\Common Files\Dell\EUSW\Support .exe
> ----a-w 451,896 2008-01-14 02:56:12 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
> ----a-w 151,597 2008-01-14 02:56:01 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
> ----a-w 274,432 2008-01-14 02:56:06 C:\Program Files\iTunes\iTunesHelper .exe
> ----a-w 49,263 2008-01-14 02:56:06 C:\Program Files\Java\jre1.5.0_10\bin\jusched .exe
> ----a-w 163,840 2008-01-14 02:56:04 C:\Program Files\Microsoft IntelliPoint\point32 .exe
> ----a-w 451,896 2008-01-14 02:56:15 C:\Program Files\Pure Networks\Network Magic\nmapp .exe
> ----a-w 282,624 2008-01-14 02:49:08 C:\Program Files\QuickTime\qttask .exe
> ----a-w 114,741 2008-01-14 02:56:01 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
> ----a-w 196,608 2008-01-14 02:56:03 C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb04 .exe
> </pre>



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#6
tinat
Posted 19 January 2008 - 03:45 PM

tinat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ESSEXBOY: Thank you, thank you, thank you for the time you have put into this.

Here are the other two logs, combofix and HJT that you requested....Hope I posted properly....


ComboFix 08-01-18.5 - jenny1 2008-01-19 13:23:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.775 [GMT -8:00]
Running from: C:\Documents and Settings\jenny1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jenny1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\fsaua.data
C:\WINDOWS\SYSTEM32\000080.exe
C:\WINDOWS\SYSTEM32\efhkj.ini
C:\WINDOWS\SYSTEM32\efhkj.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\000080.exe
C:\WINDOWS\SYSTEM32\efhkj.ini
C:\WINDOWS\SYSTEM32\efhkj.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 19:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 15:22 . 2008-01-16 15:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-14 15:06 . 2008-01-14 15:07 <DIR> d-------- C:\Documents and Settings\jenny1\Application Data\PrevxCSI
2008-01-14 15:06 . 2008-01-14 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-14 12:41 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-14 11:27 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-14 00:25 . 2008-01-14 00:25 <DIR> d-------- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
2008-01-13 19:08 . 2008-01-13 19:08 <DIR> d-------- C:\fsaua.data
2008-01-13 18:22 . 2008-01-14 15:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-13 18:22 . 2008-01-13 18:22 <DIR> d-------- C:\Documents and Settings\jenny1\Application Data\SUPERAntiSpyware.com
2008-01-13 18:22 . 2008-01-13 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 18:21 . 2008-01-13 18:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 17:52 . 2008-01-13 17:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 17:30 . 2008-01-13 21:57 <DIR> d-------- C:\VundoFix Backups
2008-01-10 22:45 . 2008-01-13 15:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-10 22:45 . 2008-01-10 22:45 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 21:28 12,937,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-19 21:26 152,636 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-19 21:23 --------- d-----w C:\Program Files\QuickTime
2008-01-19 21:23 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-19 21:23 --------- d-----w C:\Program Files\iTunes
2008-01-19 21:23 --------- d-----w C:\Program Files\BearShare
2008-01-18 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-17 00:29 --------- d-----w C:\Program Files\SpywareGuard
2008-01-17 00:28 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-14 19:27 --------- d-----w C:\Program Files\Java
2008-01-14 14:46 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 04:47 --------- d-----w C:\Program Files\Panda Security
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 04:49 --------- d-----w C:\Program Files\Pure Networks
2007-12-04 04:48 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2007-12-04 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-09-25 03:20 5,871 ----a-w C:\Program Files\Common Files\temp.html
2006-05-31 16:14 108,056 ----a-w C:\Program Files\Common Files\secman.dll
2006-03-12 02:09 626,176 ----a-w C:\Program Files\Common Files\osmax.ocx
2005-12-14 19:35 73,728 ------w C:\Documents and Settings\jenny1\SetupNI.dll
2007-07-07 04:42 88 --sh--r C:\WINDOWS\SYSTEM32\DB99A36B28.sys
2007-07-07 04:42 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_20.15.53.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 03:55:43 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 21:23:30 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 03:55:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 21:23:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 03:55:43 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 21:23:31 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 03:55:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 21:23:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 03:55:44 6,512,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 21:23:31 6,512,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 03:55:44 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 21:23:31 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 02:56:01 114,741 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2008-01-14 02:56:03 196,608 ----a-w C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb04.exe
+ 2008-01-19 21:27:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_608.dat
+ 2008-01-19 21:27:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-13 18:48 79224]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"BearShare"="C:\Program Files\BearShare\BearShare .exe" [ ]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-13 18:56 451896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-15 18:44:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
--a------ 2008-01-13 18:49 3305472 C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-13 18:49 282624 C:\Program Files\QuickTime\qttask.exe


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 13:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 13:33:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 21:33:35
ComboFix2.txt 2008-01-19 04:16:20


HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:17 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare .exe" /pause
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189012142609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189012134078
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall....ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-sec...3beta/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {C6D25826-96AE-462F-A852-BB33B882B723} (SFImageUpload1_4.ImageUpload) - http://fredmeyer.sto...geUpload1_4.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...364/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8116 bytes
  • 0

#7
Essexboy
Posted 19 January 2008 - 05:32 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks really good now, just the orphan registry entries to clear I think

Run Superantispyware
  • On the first page select Check for Updates
  • On completion select SCAN YOUR COMPUTER
  • On the next page select COMPLETE SCAN and tick ALL your drives
  • The next stage will take a while as your entire drive(s), memory and registry are scanned
  • When it has completed click NEXT
  • The next screen shows the problems found click OK
  • On the next screen place a tick against all items and select NEXT
  • Now to get the log Go to the PREFERENCES button on the right bottom
  • Select the STATISTICS/LOG tab
  • Highlight the scan just completed and click VIEW LOG
  • This will open a notepad text file copy and paste this to your next reply

Logs required : Just Superantispyware plus how is your computer running now ?
  • 0

#8
tinat
Posted 19 January 2008 - 06:23 PM

tinat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Once again, many thanks for your help. All that SuperAntiSpyware seemed to find was BearShare, and I know that it can be a risk, but I would really prefer to keep it....What do you think?

Otherwise, everything seems fine....


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/19/2008 at 04:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 00:40:56

Memory items scanned : 401
Memory threats detected : 0
Registry items scanned : 5779
Registry threats detected : 0
File items scanned : 40276
File threats detected : 1

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
  • 0

#9
Essexboy
Posted 20 January 2008 - 06:38 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
As long as you are aware of the risks and allways scan downloads with your AV and Antispy before running

Now the best part of the day ----- Your log now appears clean :)

You may now delete all the tools I had you download


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
  • SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#10
tinat
Posted 20 January 2008 - 10:19 AM

tinat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I absolutely appreciate all the help!!

One question on Windows System Restore. I have tried to use it in the past and it has never worked. I click on restore it always pops up and says it is unable to do so. So, I switched it off a long time ago and have never bothered trying it again.

Is this common? Is there another way to do this so I would have some more confidence in the procedure?
  • 0

#11
Essexboy
Posted 20 January 2008 - 10:33 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Use the attached registry file to restore system restore

Download the Zip file and Extract the reg file to your desktop
Double click the regfile and accept the warnings
Reboot then try system restore

[attachment=17950:sysrestoreenable.zip]
  • 0

#12
tinat
Posted 21 January 2008 - 06:38 PM

tinat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
All seems fine now....I think you can call this another "Geeks to Go" success story and stamp RESOLVED! Thanks again, EssexBoy.
  • 0

#13
Essexboy
Posted 22 January 2008 - 12:12 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP