WinPC Antivirus and uacinit.dll nagging issues

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

WinPC Antivirus and uacinit.dll nagging issues, cant get rid of this fargin icehole!

Options

dagrunster View Member Profile	May 30 2009, 11:57 AM Post #2
New Member Group: Members Posts: 8 Joined: 30-May 09 From: Florida Member No.: 337,239	Screen shot of the end result Attached File(s) MBAM.JPG ( 82.67k ) Number of downloads: 6

Net_Surfer View Member Profile	May 30 2009, 04:02 PM Post #3
Forum Addict Group: Banned Posts: 2,154 Joined: 27-April 08 From: Paradise Ca. USA. Member No.: 205,650	*Hello dagrunster, and to Bleeping Computer Forums, My Nick is Net_Surfer* I'll be glad to help you with your computer problems. I will be working on your Malware issues, this may or may not solve other issues you may have with your machine. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so I can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far. Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer. You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here. Please be patient and I'd be grateful if you would note the following: *The cleaning process is not instant. DDS and HijackThis logs can take some time to research*, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. 1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic. 2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. 3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware. 4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one. *Ok.. dagrunster, please observe these rules while we work: Do not* attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear. *Please do not install any new programs or update anything unless told to do so while we are fixing your problem*. Please give me some time so I can I review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware. Thanks for waiting.. Kind regards Net_Surfer

dagrunster View Member Profile	May 30 2009, 04:28 PM Post #4
New Member Group: Members Posts: 8 Joined: 30-May 09 From: Florida Member No.: 337,239	Excellent, Thank You.

Net_Surfer View Member Profile	Jun 2 2009, 06:35 PM Post #5
Forum Addict Group: Banned Posts: 2,154 Joined: 27-April 08 From: Paradise Ca. USA. Member No.: 205,650	Hello dagrunster. Thanks for waiting and for taking my advise of not to try anything on your own!. *Ok.. dagrunster, please observe these rules while we work: Perform all actions in the order given. If you don't know or understand something, please don't hesitate* to say or ask!! It's better to be sure and safe than sorry. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear. *Please do not install any new programs or update anything unless told to do so while we are fixing your problem. If you can do these things, everything should go smoothly. <-- P2P Warning -->* Going over your logs I noticed that you have: <--> uTorrent <--> installed. • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. - They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. - Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. - The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology. Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again. I would recommend that you uninstall: <--> uTorrent<-->, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs. If you wish to keep it, please do not use it until your computer is cleaned. Please follow these instructions carefully. If you can not download and run the following tools, then I would like for you to try another approach. If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine. Be sure you put them on the desktop of the infected computer. Step #1. Please download ComboFix by: sUBs from one of these locations: WARNING: This tool is not a toy and not for everyday use!!!. Link 1 Link 2 Link 3 Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your DESKTOP Please, never rename Combofix unless instructed. Close any open browsers. Very Important! Temporarily disable* your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* Please insert all usb-drives before running Combofix WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on your desktop & follow the prompts.* If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, *agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.* Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. Leave your computer alone while ComboFix is running. Do not mouseclick combofix's window while it's running. That may cause it to stall ComboFix will restart your computer if malware is found; allow it to do so. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new DDS log for further review. Notes: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. If you need help, see this link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *Please do not install any new programs or update anything unless told to do so while we are fixing your problem. ----------------------------------------------------------- A word of warning: If you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. Combofix is a very complex and dangerous tool. It is not a one fit all tool and it is not automaticly removing what needs to be removed by itself. It is like a scalpell in the hands of a surgeon. A surgeon can remove exactly what is need and no more while an untrained person would either cut too much or not enough. Combofix is powerful enough to be able to render your computer unbootable if used wrongly or to leave your computer infected if you do not know what you are doing. ComboFix SHOULD NOT be used unless requested by a forum helper ----------------------------------------------------------- Step #2. Please re-scan with DDS and post the log. Summary of the logs I will need in your next reply: The ComboFix log. located at: "C:\ComboFix.txt" The DDS log. And a description of remaining problems in your next post. How is your Computer running now?.** Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware. Thanks.. Kind regards Net_Surfer

Net_Surfer View Member Profile	Jun 3 2009, 06:29 PM Post #7
Forum Addict Group: Banned Posts: 2,154 Joined: 27-April 08 From: Paradise Ca. USA. Member No.: 205,650	QUOTE After posting the logs, I tested the PC and it seemed a bit laggy. I was playing COD4. Not sure if it is malware again or if it was updating since being disconnected for days. I also noticed that Google Installer kept asking for access in ZoneAlarm. Maybe I am paranoid, but it seems a bit twitchy still. Should I disconnect the ethernet cable until we are done? I had to connect it for combofix to install the Recovery Console. Question: what about my external drives? do I need to worry about those or does the infection I have (had) concentrate itself on the C: drive? The only thing that wasnt connected when I ran combofix was my 500GB external. There is also a D: drive on the system that WAS connected. Hello dagrunster. Well done, glad to see that ComboFix clear up some of the malware, but We still have a bit of work to do. Nope, I do not need you to post the other file from DDS. You may have to give access to google updater. And about your other drive. Please connect it to your system before you run ComboFix AGAIN* WeatherBug Warning I recommend you to uninstall "WeatherBug Installer", as WeatherBug has been associated with minor malware. Please follow these instructions carefully. If you can not download and run the following tools, then I would like for you to try another approach. If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine. Be sure you put them on the desktop of the infected computer. Step #1. I see you are running Teatimer. I suggest you to disable it. Ok...Firstly, we need to disable SpyBot's Teatimer which can interfere with the fixes. TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running. In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy. If prompted with a legal dialog, accept the warning. Click and then on "Advanced Mode" You may be presented with a warning dialog. If so, press Click on Click on Uncheck this checkbox: Close/Exit Spybot Search and Destroy If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. Step #2. We need to run an CFScript by using ComboFix again Please disable any running anti-virus or anti-malware programs. If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html Close any open browsers. Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!** o If it is not on your Desktop, the below will not work. Open Notepad* and copy/paste the text in the below code box into it (Do not include the word: "CODE"): CODE KILLALL:: Driver:: ecemfx adpgha fwnjmxi File:: c:\windows\system32\drivers\fwnjmxi.sys Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe At this point, you MUST EXIT ALL BROWSERS NOW before continuing! You should have both the ComboFix.exe and CFScript.txt icons on your Desktop. Now refering to the picture above, use your mouse to drag CFScript.text on top of ComboFix.exe This will start ComboFix again. Please follow the prompts. When finished, after reboot (in case it asks to reboot), it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Note: Do not mouseclick combofix's window while it is running. That may cause it to stall. * CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Step #3. Your Java is out of date!!!. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop. Look for "Java Runtime Environment (JRE)" JRE 6 Update 14. Click the Download button to the right. Select your Platform: "Windows". Select your Language: "Multi-language". Read the License Agreement, and then check the box that says: "Accept License Agreement". Click Continue and the page will refresh. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version. -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator. -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it. -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually. Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer. Step #4. Please download ATF Cleaner-3 by Atribune. (Good temp file cleaner that could do the job safely and without removing files that are crucial to windows). This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTES: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". NOTE:It's normal after running ATF cleaner that the PC will be slower to boot the first time. Cleaning Prefetch may result in a few slow starts until the folder is repopulated: http://www.windowsnetworking.com/articles_...refetch-XP.html Step #5.* Kaspersky Online Scan Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer. Therefore, by using Kaspersky online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer. Please, Go to Kaspersky website and perform an online antivirus scan. Note: Kaspersky doesn't fix anything it just reports what it founds. If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. Save the file to your desktop. Copy and paste that information in your next post. Note *To optimize scanning time and produce a more sensible report for review:* Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Please re-scan with DDS and post the log. Summary of the logs I will need in your next reply: The ComboFix log. at C:\ComboFix.txt. The DDS log. The Kaspersky log. And any description of remaining problems in your next post. How is your Computer running now?. Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware. Thanks.. Kind regards Net_Surfer

Net_Surfer View Member Profile	Jun 5 2009, 06:17 PM Post #9
Forum Addict Group: Banned Posts: 2,154 Joined: 27-April 08 From: Paradise Ca. USA. Member No.: 205,650	Hi dagrunster, You got some bad mail !!! There is some bad active infected email files in your Thunderbird Mail program. And there are some bad files in the system restore and other ones already quarantine by Combofix Tool at C:\Qoobox\Quarantine. those will be gone when we flush system restore and create a new one with the combofix uninstall switch later on. So for now do not do any thing about those. Now let's take care of the ones that still active in your system. This is what kaspersky found: C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 7 C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.re 2 C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ra 2 C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ri 2 C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rz 1 C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 6 C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 2 C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1 yk0x8k8n.default and 8y2hdk28.default NOTICE: that they are 2 different profiles, (Two diferent users account) So you will need to empty the trash box and junk box from both profiles. To do this do the following: Step #1. Go to your Thunderbird Mail Program and delete any bad mail that it looks suspicious in your inbox. Then.. delete all email in your junk box and trash box. Then.... Empty your deleted email box. yk0x8k8n.default and 8y2hdk28.default are 2 different profiles, PLEASE also do the same for all profiles. empty the junk folder and trash on this profile as well. Step #2. And about this one from your kaspersky log: F:\Pedro stuff\Wireless Security\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1 Use Windows Explorer to find and Delete the following File: (IF PRESENT) Go to your F:\ drive and delete: F:\Pedro stuff\Wireless Security\ca_setup.exe <--- This File As an example: To delete C:\WINDOWS\badfile.dll Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E. Double click on Local Disc (C:\) Double click on the Windows folder, Right click on badfile.dll and then from the menu that appears, click on Delete Reboot when done. Step #3. ESET Online Scan Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer. Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer. ESET Online Scan Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer. Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer. I'd like us to scan your machine with ESET OnlineScan just to be sure that nothing got left behind. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Check Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the button. Push Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.) Credit: Billy Oneal for the canned instructions. You can refer to this animation by: neomage Note *To optimize scanning time and produce a more sensible report for review:* Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Step #4. Your Microsoft Windows installation is out of date!. Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update. For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information". Then go here to check for & install updates to Microsoft applications. Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install. Please reboot and repeat the update process until there are no more updates to install. Please re-scan with DDS and post the log. Summary of the logs I will need in your next reply: The ESET Online scan report. The DDS log. And any description of remaining problems in your next post. How is your Computer running now?. Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware. Thanks.. Kind regards Net_Surfer This post has been edited by Net_Surfer: Jun 6 2009, 05:34 AM

dagrunster View Member Profile	Jun 6 2009, 02:29 PM Post #10
New Member Group: Members Posts: 8 Joined: 30-May 09 From: Florida Member No.: 337,239	Hi again, Here are the logs you requested: ESET LOG ----------- C:\Documents and Settings\Joey\My Documents\Programs\zlsSetup_70_462_000_en.exe a variant of Win32/AdInstaller application deleted - quarantined C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgvqvqemxuiajkia.dll.vir a variant of Win32/Kryptik.PS trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjpyputabtxevhop.dll.vir Win32/Olmarik.IC trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmchutyqjbdfcekx.dll.vir Win32/Olmarik.IA trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuulusipvebdmsxw.dll.vir Win32/Olmarik.IC trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvakdnkfgotacnky.dll.vir Win32/Olmarik.HZ trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxoascnutmtnftu.dll.vir Win32/Olmarik.HY trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkpurwlwjqsjkfnu.sys.vir Win32/Olmarik.ID trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACmuwqpucfqxexnkf.sys.vir Win32/Olmarik.ID trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000001.sys Win32/Olmarik.ID trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000002.sys Win32/Olmarik.ID trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000003.dll Win32/Olmarik.IC trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000004.dll Win32/Olmarik.HY trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000005.dll Win32/Olmarik.HZ trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000006.dll a variant of Win32/Kryptik.PS trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000007.dll Win32/Olmarik.IA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000056.dll Win32/Olmarik.IC trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP4\A0000770.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP4\A0000771.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined ============================================== DDS3 DDS (Ver_09-05-14.01) - NTFSx86 Run by Joey at 15:15:27.84 on Sat 06/06/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1428 [GMT -4:00] AV: AVG Anti-Virus Free On-access scanning enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Creative\Shared Files\CTAudSvc.exe svchost.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Volume Panel\VolPanlu.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\PROGRA~1\Creative\MEDIAS~1\MtdAcqu.exe C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Joey\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/http://www.yahoo.com uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/http://www.yahoo.com/search/ie.html mStart Page = hxxp://www.yahoo.com uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File uRun: [MtdAcqu] "c:\progra~1\creative\medias~1\MtdAcqu.exe" /s uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource5\go\CTCMSGoU.exe" /SCB uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" mRun: [CTHelper] CTHELPER.EXE mRun: [UpdReg] c:\windows\UpdReg.EXE mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe" mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe StartupFolder: c:\docume~1\joey\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe StartupFolder: c:\docume~1\joey\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgetEngine.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\joey\applic~1\mozilla\firefox\profiles\vzayxgni.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325896] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-31 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 108552] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 353672] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728] S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104] S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-25 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728] S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-5-29 30136] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408] S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\ufasoft\sniffer\usft_sn4.sys --> c:\program files\ufasoft\sniffer\usft_sn4.sys [?] =============== Created Last 30 ================ 2009-06-06 12:04 <DIR> --d----- c:\program files\Messenger 2009-06-06 12:04 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll 2009-06-06 12:04 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll 2009-06-06 12:04 102,912 -c------ c:\windows\system32\dllcache\dpcdll.dll 2009-06-06 12:03 3,990 -------- c:\windows\system32\wbem\napclientschema.mof 2009-06-06 12:03 638 -------- c:\windows\system32\wbem\napclientprov.mof 2009-06-06 12:03 46,592 -------- c:\windows\system32\drivers\irbus.sys 2009-06-06 12:03 9,728 -------- c:\windows\system32\comsdupd.exe 2009-06-06 12:03 10,752 -------- c:\windows\system32\smtpapi.dll 2009-06-06 12:03 9,728 -------- c:\windows\system32\rwnh.dll 2009-06-06 11:55 <DIR> --d----- c:\windows\ServicePackFiles 2009-06-06 11:50 19,569 a------- c:\windows\003150_.tmp 2009-06-05 21:31 <DIR> --d----- c:\program files\ESET 2009-06-04 11:29 410,984 a------- c:\windows\system32\deploytk.dll 2009-06-04 11:29 73,728 a------- c:\windows\system32\javacpl.cpl 2009-06-04 11:00 <DIR> --ds---- C:\ComboFix 2009-06-03 09:32 <DIR> a-dshr-- C:\cmdcons 2009-06-02 23:16 161,792 a------- c:\windows\SWREG.exe 2009-06-02 23:16 154,624 a------- c:\windows\PEV.exe 2009-06-02 23:16 98,816 a------- c:\windows\sed.exe 2009-05-29 22:52 <DIR> --d----- c:\program files\Trend Micro 2009-05-29 20:23 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys 2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-05-29 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-05-28 14:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-28 14:37 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-05-28 14:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-05-28 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-05-28 10:59 <DIR> --d----- c:\program files\MSSOAP 2009-05-28 10:58 164 a------- c:\windows\install.dat 2009-05-28 10:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys 2009-05-21 18:51 41,808 a------- c:\windows\system32\xfcodec.dll 2009-05-17 21:13 69 a------- c:\windows\NeroDigital.ini 2009-05-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero ==================== Find3M ==================== 2009-06-06 15:02 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-06-06 12:06 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-06-05 21:00 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys 2009-06-05 21:00 189,072 a------- c:\windows\system32\PnkBstrB.exe 2009-05-07 17:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys 2009-05-07 17:31 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-05-07 17:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-01-10 17:23 22,328 a------- c:\docume~1\joey\applic~1\PnkBstrK.sys 2009-01-10 17:21 107,832 a------- c:\docume~1\joey\applic~1\PnkBstrB.exe 2009-01-01 21:56 47,360 a------- c:\docume~1\joey\applic~1\pcouffin.sys 2008-10-25 10:52 30 a------- c:\documents and settings\joey\jagex_runescape_preferences.dat 2008-05-12 21:26 62,080 a------- c:\docume~1\joey\applic~1\GDIPFONTCACHEV1.DAT ============= FINISH: 15:16:10.23 =============== I did all the steps in the order you asked. The PC seems to be quite a bit zippy now. I am no longer getting the error messages on startup I was getting before. I was curious about something though. In the pic I uploaded there is a window near the top I can't get rid of or resize. When I hover the mouse near the red arrow in the pic, the circled text shows up. I am assuming that this is Google trying to get me to install Chrome browser, and that NoScript is doing it's job. Do you know how I can remove this frame from my browser? Thanks yet again, DaGrunster Attached File(s)* watsdat.JPG ( 42.34k ) Number of downloads: 6

Net_Surfer View Member Profile	Jun 6 2009, 04:50 PM Post #11
Forum Addict Group: Banned Posts: 2,154 Joined: 27-April 08 From: Paradise Ca. USA. Member No.: 205,650	QUOTE I did all the steps in the order you asked. The PC seems to be quite a bit zippy now. I am no longer getting the error messages on startup I was getting before. I was curious about something though. In the pic I uploaded there is a window near the top I can't get rid of or resize. When I hover the mouse near the red arrow in the pic, the circled text shows up. I am assuming that this is Google trying to get me to install Chrome browser, and that NoScript is doing it's job. Do you know how I can remove this frame from my browser? Thanks yet again, DaGrunster Please See if you can post the full browser window then I will be able to tell more if I could see a bigger picture. Your Welcome, Glad that I can help. Hi DaGgrunster, Good Job, we got all the baddies. Your logs are clean except for a few files that we need to take care of it. Step #1. You have an Orphan Toolbar entry that we can fix with HijackThis: TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File Open HijackThis. Click on Do a system scan only. Close your browser and all open windows including this one, the only program or window you should have open is HijackThis, and please check the following entry: O3 - Toolbar: TB - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File* Ensure you have closed all windows except HijackThis and click Fix Checked. Exit Hijackthis program. Step #2. ESET online scan report: we need to clean up all those quarantine baddies, so please follow my instructions to help do that: For the ones that already are quarantine that ESET found, just delete the anything related to ESET. And all of those files will be gone from your computer. The other ones are in the quarantine folder of ComboFix Tool, and they should be gone also when we use the uninstall switch of Combofix at the end. To get rid of the ones in system restore please do the following: Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go to Start > Run and type: Cleanmgr Click "Ok". Disk Cleanup will scan your files for several minutes, then open. Click the "More Options" tab, then click the "Clean up" button under System Restore. Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?" Click Yes, then click Ok. Click Yes again when prompted with "Are you sure you want to perform these actions?" Disk Cleanup will remove the files and close automatically. Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup. Step #3. Follow these steps to uninstall Combofix and tools used in the removal of malware Delete ComboFix and Clean Up Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of the next step.. Please visit HERE* if you don't know how...Please re-enable them back after performing all steps given. Click Start > Run and type combofix /u click OK (Note the "space" between combofix and /u) <--- It needs to be there. Please advise if this step is missed for any reason as it performs some important actions: "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore". Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. *If you don't plan to use Kaspersky again, then uninstall it through Add/Remove Programs.* You may delete DDS and any logs that any of the tools produced. Please delete DDS.exe and the DDS folder (C:\DDS). I recommend keeping ATF, and use Malwarebyte's Anti-Malware to scan your computer regularly. If you have done all of the above, Your Computer should be Clean of Malware. CONGRATULATIONS. Ok,, DaGrunster, I'm not skilled at mincing words but I believe that by now you already figure it out how you got infected. {using P2p (file sharing programs)Maybe ?} So, especially for you I will use my long version of my "All Clean Canned Speech". The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.: Please take the time to read below to secure your machine and take the necessary steps to keep it Clean, some of the following you may already have, So. just disregard them. Make sure that you keep your anti-virus updated New viruses come out every minute, so it is essential that you have the latest signatures for your anti-virus program to provide you with the best possible protection from malicious software. Note: You should only have one anti-virus installed at a time. Having more than one anti-virus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC. Install and use a firewall with outbound protection The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet. Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC. Security Updates for Windows, Internet Explorer & Microsoft Office Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis. Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install. Update Non-Microsoft Programs Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month. Make Internet Explorer More Secure You are using Internet Explorer, Therefore please read and follow the recommendations at this SITE Recommended Programs To help protect your computer in the future I would recommend the download and installation of some or all of the following free programs (if not already present), and the updating of them on a regular basis:. WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE. McAfee Site Advisor --free version. To give you an indication of which sites may contain bad links or suspect downloads. It loads an icon to the taskbar of your browser (versions for IE and Firefox), As you browse, a small button on your browser toolbar changes color based on SiteAdvisor's safety results indicating the trustworthiness of the site you are on. Green for safe and Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Safety ratings from McAfee SiteAdvisor appear next to search results. Works with Google, Yahoo!, Live Search, AOL or ASK. This is a utility that can be downloaded and installed it from: HERE ATF Cleaner Good temp file cleaner that could do the job safely and without removing files that are crucial to windows. Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. This is a utility that can be downloaded and installed it from: HERE ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. SpywareBlaster SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE. Malwarebytes' Anti-Malware or SuperAntiSpyware These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start. You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE. You can download SuperAntiSpyware from HERE. Hosts File - Hosts file is one such file that can be used to replace the Hosts file on your computer and help you to avoid accidentally visiting known nasty web sites. For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE. Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns. If this isn't done first, the next reboot may take a VERY LONG TIME. This is how to do it. First be sure you are signed in as a user with administrative privileges: QUOTE Stop and Disable the DNS Client Service Go to Start, Run and type Services.msc and click OK. Under the Extended Tab, Scroll down and find this service. DNS Client Right-Click on the DNS Client Service. Choose Properties Select the General tab. Click on the Stop button. Click the Arrow-down tab on the right-hand side at the Start-up Type box. From the drop-down menu, click on Manual Click the Apply tab, then click OK Prevention: The Hosts file can be made read only and monitored for changes, or attempted changes. Programs such as >WinPatrol< do this very well. Cure: If your Hosts file becomes infected, it can be reset by installing >HostsXpert<. Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert Double-click HostsXpert.exe to run the program. Click "*Make Hosts Writable?" in the upper right corner (If available). Click "Restore Microsoft's Hosts file" and then click "OK". Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.* Use an alternative Internet Browser Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox Opera ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask. Backup regularly. You never know when your PC will become unstable or get infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups. Alternatively, you can use 3rd-party programs to back up your data. It can be found at Bleeping Computer. To stay secure is to stay updated. Calendar of Updates. Practice Safe Internet One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely: If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software. Visit Microsoft's Windows Update Site Frequently Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference! The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. To find out more information about how you got infected in the first place? and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date. That's it, happy surfing! Cheers, Net_Surfer *If ComboFix tool helped you, please kindly consider a donation to it's author: Stay clean and be safe* I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck! *I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.*

dagrunster View Member Profile	Jun 9 2009, 10:49 AM Post #12
New Member Group: Members Posts: 8 Joined: 30-May 09 From: Florida Member No.: 337,239	HI NetSurfer, Regarding Step #1, I could not find that entry, even on different logins for the PC. Weird? All the other steps were done successfully. Now that I am clear of infestation, is my PC safe to use for banking and paying bills? I plan to go to another hard drive within a week, which is my current D: drive. I will then copy everything over tho the new one and wipe and reformat the current one. I want to thank you again for all of your help! I sincerely hope that the staff here is appreciated, I know I sure do! I will take your advice to heart, and will be making a few security changes on my PC because of it. At least I learned something out of all of this mess! lol Thanks again and keep up the good work!

Net_Surfer View Member Profile	Jun 9 2009, 08:26 PM Post #13
Forum Addict Group: Banned Posts: 2,154 Joined: 27-April 08 From: Paradise Ca. USA. Member No.: 205,650	Hi DaG runster. Good job following all those steps. I am positive that you will be fine to do any type of activity on this computer. Just be careful and use common sense and you will be fine. I had a good Coach doing this fix with me his name is Kahdah, he ensures that all my posts are well advise before I post them here for you. So, he takes part of the credit also. Psss.... I never got another pic of the full browser window, if you will attach a bigger picture I will be able to tell more from it. I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck! If that's it ??? happy surfing! Cheers, Net_Surfer *I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.*

dagrunster View Member Profile	Jun 10 2009, 12:50 PM Post #14
New Member Group: Members Posts: 8 Joined: 30-May 09 From: Florida Member No.: 337,239	got that browser issue handled. It was one of the toolbars I didnt need, so I ditched it. Thanks again to you and Kahdah!! This post has been edited by dagrunster: Jun 10 2009, 12:51 PM

kahdah View Member Profile	Jun 10 2009, 05:57 PM Post #15
Forum Addict Group: Malware Response Instructor Posts: 8,160 Joined: 27-October 06 From: Florida Member No.: 92,376	You are welcome Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread. Everyone else please begin a New Topic. -------------------- Please do not pm for help, post it in the forums instead. If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications. If I have helped you then please consider donating to continue the fight against malware

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 29th July 2010 - 09:41 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides